Secondary storage architecture for a network control system that utilizes a primary network information base

ABSTRACT

Some embodiments provide a system for managing several switching elements. The system includes a network information base (NIB) data structure for serving as a primary storage structure for storing data for managing the several switching elements. The system includes a secondary storage structure for storing a copy of a set of data stored in the primary storage structure for managing the several the switching elements.

CLAIM OF BENEFIT TO PRIOR APPLICATION

This application claims benefit to U.S. Provisional Patent Application61/361,912, filed on Jul. 6, 2010; U.S. Provisional Patent Application61/361,913, filed on Jul. 6, 2010; U.S. Provisional Patent Application61/429,753, filed on Jan. 4, 2011; U.S. Provisional Patent Application61/429,754, filed on Jan. 4, 2011; U.S. Provisional Patent Application61/466,453, filed on Mar. 22, 2011; U.S. Provisional Patent Application61/482,205, filed on May 3, 2011; U.S. Provisional Patent Application61/482,615, filed on May 4, 2011; U.S. Provisional Patent Application61/482,616, filed on May 4, 2011; U.S. Provisional Patent Application61/501,743, filed on Jun. 27, 2011; and U.S. Provisional PatentApplication 61/501,785, filed on Jun. 28, 2011. These provisionalapplications are incorporated herein by reference.

BACKGROUND

Many current enterprises have large and sophisticated networkscomprising switches, hubs, routers, servers, workstations and othernetworked devices, which support a variety of connections, applicationsand systems. The increased sophistication of computer networking,including virtual machine migration, dynamic workloads, multi-tenancy,and customer specific quality of service and security configurationsrequire a better paradigm for network control. Networks havetraditionally been managed through low-level configuration of individualcomponents. Network configurations often depend on the underlyingnetwork: for example, blocking a user's access with an access controllist (“ACL”) entry requires knowing the user's current IP address. Morecomplicated tasks require more extensive network knowledge: forcingguest users' port 80 traffic to traverse an HTTP proxy requires knowingthe current network topology and the location of each guest. Thisprocess is of increased difficulty where the network switching elementsare shared across multiple users.

In response, there is a growing movement, driven by both industry andacademia, towards a new network control paradigm called Software-DefinedNetworking (SDN). In the SDN paradigm, a network controller, running onone or more servers in a network, controls, maintains, and implementscontrol logic that governs the forwarding behavior of shared networkswitching elements on a per user basis. Making network managementdecisions often requires knowledge of the network state. To facilitatemanagement decision making, the network controller creates and maintainsa view of the network state and provides an application programminginterface upon which management applications may access a view of thenetwork state.

Three of the many challenges of large networks (including datacentersand the enterprise) are scalability, mobility, and multi-tenancy andoften the approaches taken to address one hamper the other. Forinstance, one can easily provide network mobility for virtual machines(VMs) within an L2 domain, but L2 domains cannot scale to large sizes.Also, retaining tenant isolation greatly complicates mobility. Despitethe high-level interest in SDN, no existing products have been able tosatisfy all of these requirements.

BRIEF SUMMARY

Some embodiments of the invention provide a system that allows severaldifferent logical data path sets to be specified for several differentusers through one or more shared network infrastructure switchingelements (referred to as “switching elements” below). In someembodiments, the system includes a set of software tools that allows thesystem to accept logical data path sets from users and to configure theswitching elements to implement these logical data path sets. Thesesoftware tools allow the system to virtualize control of the sharedswitching elements and the network that is defined by the connectionsbetween these shared switching elements, in a manner that prevents thedifferent users from viewing or controlling each other's logical datapath sets (i.e., each other's switching logic) while sharing the sameswitching elements.

In some embodiments, one of the software tools that allows the system tovirtualize control of a set of switching elements (i.e., to allowseveral users to share the same switching elements without viewing orcontrolling each other's logical data path sets) is an intermediate datastorage structure that (1) stores the state of the network, (2) receivesand records modifications to different parts of the network fromdifferent users, and (3), in some embodiments, provides different viewsof the state of the network to different users. For instance, in someembodiments, the intermediate data storage structure is a networkinformation base (NIB) data structure that stores the state of thenetwork that is defined by one or more switching elements. The systemuses this NIB data structure as an intermediate storage structure forreading the state of the network and writing modifications to the stateof the network. In some embodiments, the NIB also stores the logicalconfiguration and the logical state for each user specified logical datapath set. In these embodiments, the information in the NIB thatrepresents the state of the actual switching elements accounts for onlya subset of the total information stored in the NIB.

In some embodiments, the system has (1) a network operating system (NOS)to create and maintain the NIB storage structure, and (2) one or moreapplications that run on top of the NOS to specify logic for readingvalues from and writing values to the NIB. When the NIB is modified inorder to effectuate a change in the switching logic of a switchingelement, the NOS of some embodiments also propagates the modification tothe switching element.

The system of different embodiments uses the NIB differently tovirtualize access to the shared switching elements and network. In someembodiments, the system provides different views of the NIB to differentusers in order to ensure that different users do not have direct viewand control over each other's switching logic. For instance, in someembodiments, the NIB is a hierarchical data structure that representsdifferent attributes of different switching elements as elements (e.g.,different nodes) in a hierarchy. The NIB in some of these embodiments isa multi-layer hierarchical data structure, with each layer having ahierarchical structure and one or more elements (e.g., nodes) on eachlayer linked to one or more elements (e.g., nodes) on another layer. Insome embodiments, the lowest layer elements correspond to the actualswitching elements and their attributes, while each of the higher layerelements serve as abstractions of the actual switching elements andtheir attributes. As further described below, some of these higher layerelements are used in some embodiments to show different abstractswitching elements and/or switching element attributes to differentusers in a virtualized control system.

In some embodiments, the definition of different NIB elements atdifferent hierarchical levels in the NIB and the definition of the linksbetween these elements are used by the developers of the applicationsthat run on top of the NOS in order to define the operations of theseapplications. For instance, in some embodiments, the developer of anapplication running on top of the NOS uses these definitions toenumerate how the application is to map the logical data path sets ofthe user to the physical switching elements of the control system. Underthis approach, the developer would have to enumerate all differentscenarios that the control system may encounter and the mappingoperation of the application for each scenario. This type of networkvirtualization (in which different views of the NIB are provided todifferent users) is referred to below as Type I network virtualization.

Another type of network virtualization, which is referred to below asType II network virtualization, does not require the applicationdevelopers to have intimate knowledge of the NIB elements and the links(if any) in the NIB between these elements. Instead, this type ofvirtualization allows the application to simply provide user specified,logical switching element attributes in the form of one or more tables,which are then mapped to NIB records by a table mapping engine. In otherwords, the Type II virtualized system of some embodiments accepts thelogical switching element configurations (e.g., access control listtable configurations, L2 table configurations, L3 table configurations,etc.) that the user defines without referencing any operational state ofthe switching elements in a particular network configuration. It thenmaps the logical switching element configurations to the switchingelement configurations stored in the NIB.

To perform this mapping, the system of some embodiments uses a databasetable mapping engine to map input tables, which are created from (1)logical switching configuration attributes, and (2) a set of propertiesassociated with switching elements used by the system, to output tables.The content of these output tables are then transferred to the NIBelements. In some embodiments, the system uses a variation of thedatalog database language, called nLog, to create the table mappingengine that maps input tables containing logical data path data andswitching element attributes to the output tables. Like datalog, nLogprovides a few declaratory rules and operators that allow a developer tospecify different operations that are to be performed upon theoccurrence of different events. In some embodiments, nLog provides alimited subset of the operators that are provided by datalog in order toincrease the operational speed of nLog. For instance, in someembodiments, nLog only allows the AND operator to be used in any of thedeclaratory rules.

The declaratory rules and operations that are specified through nLog arethen compiled into a much larger set of rules by an nLog compiler. Insome embodiments, this compiler translates each rule that is meant toaddress an event into several sets of database join operations.Collectively the larger set of rules forms the table-mapping rulesengine that is referred to below as the nLog engine. In someembodiments, the nLog virtualization engine also provides feedback(e.g., from one or more of the output tables or from NIB records thatare updated to reflect values stored in the output tables) to the userin order to provide the user with state information about the logicaldata path set that he or she created. In this manner, the updates thatthe user gets are expressed in terms of the logical space that the userunderstands and not in terms of the underlying switching element states,which the user does not understand.

The use of nLog serves as a significant distinction between Type Ivirtualized control systems and Type II virtualized control systems,even for Type II systems that store user specified logical data pathsets in the NIB. This is because nLog provides a machine-generated rulesengine that addresses the mapping between the logical and physicaldomains in a more robust, comprehensive manner than the hand-codedapproach used for Type I virtualized control systems. In the Type Icontrol systems, the application developers need to have a detailedunderstanding of the NIB structure and need to use this detailedunderstanding to write code that addresses all possible conditions thatthe control system would encounter at runtime. On the other hand, inType II control systems, the application developers only need to produceapplications that express the user-specified logical data path sets interms of one or more tables, which are then mapped in an automatedmanner to output tables and later transferred from the output tables tothe NIB. This approach allows the Type II virtualized systems to foregomaintaining the data regarding the logical data path sets in the NIB.However, some embodiments maintain this data in the NIB in order todistribute this data among other NOS instances, as further describedbelow.

As apparent from the above discussion, the applications that run on topof a NOS instance can perform several different sets of operations inseveral different embodiments of the invention. Examples of suchoperations include providing an interface to a user to access NIB dataregarding the user's switching configuration, providing differentlayered NIB views to different users, providing control logic formodifying the provided NIB data, providing logic for propagatingreceived modifications to the NIB, etc.

In some embodiments, the system embeds some or all such operations inthe NOS instead of including them in an application operating on top ofthe NOS. Alternatively, in other embodiments, the system separates someor all of these operations into different subsets of operations and thenhas two or more applications that operate above the NOS perform thedifferent subsets of operations. One such system runs two applicationson top of the NOS: a control application and a virtualizationapplication. In some embodiments, the control application allows a userto specify and populate logical data path sets, while the virtualizationapplication implements the specified logical data path sets by mappingthe logical data path sets to the physical switching infrastructure. Insome embodiments, the virtualization application translates controlapplication input into records that are written into the NIB, and thenthese records are subsequently transferred from the NIB to the switchinginfrastructure through the operation of the NOS. In some embodiments,the NIB stores both the logical data path set input received through thecontrol application and the NIB records that are produced by thevirtualization application.

In some embodiments, the control application can receive switchinginfrastructure data from the NIB. In response to this data, the controlapplication may modify record(s) associated with one or more logicaldata path sets (LDPS). Any such modified LDPS record would then betranslated to one or more physical switching infrastructure records bythe virtualization application, which might then be transferred to thephysical switching infrastructure by the NOS.

In some embodiments, the NIB stores data regarding each switchingelement within the network infrastructure of a system, while in otherembodiments, the NIB stores state information about only switchingelements at the edge of a network infrastructure. In some embodiments,edge switching elements are switching elements that have directconnections with the computing devices of the users, while non-edgeswitching elements only connect to edge switching elements and othernon-edge switching elements.

The system of some embodiments only controls edge switches (i.e., onlymaintains data in the NIB regarding edge switches) for several reasons.Controlling edge switches provides the system with a sufficientmechanism for maintaining isolation between computing devices, which isneeded, as opposed to maintaining isolation between all switch elements,which is not needed. The interior switches forward between switchingelements. The edge switches forward between computing devices and othernetwork elements. Thus, the system can maintain user isolation simply bycontrolling the edge switching elements because the edge switchingelements are the last switches in line to forward packets to hosts.

Controlling only edge switches also allows the system to be deployedindependent of concerns about the hardware vendor of the non-edgeswitches. Deploying at the edge allows the edge switches to treat theinternal nodes of the network as simply a collection of elements thatmoves packets without considering the hardware makeup of these internalnodes. Also, controlling only edge switches makes distributing switchinglogic computationally easier. Controlling only edge switches alsoenables non-disruptive deployment of the system. Edge switchingsolutions can be added as top of rack switches without disrupting theconfiguration of the non-edge switches.

In addition to controlling edge switches, the network control system ofsome embodiments also utilizes and controls non-edge switches that areinserted in the switch network hierarchy to simplify and/or facilitatethe operation of the controlled edge switches. For instance, in someembodiments, the control system requires the switches that it controlsto be interconnected in a hierarchical switching architecture that hasseveral edge switches as the leaf nodes in this switching architectureand one or more non-edge switches as the non-leaf nodes in thisarchitecture. In some such embodiments, each edge switch connects to oneor more of the non-leaf switches, and uses such non-leaf switches tofacilitate its communication with other edge switches. Examples offunctions that such non-leaf switches provide to facilitate suchcommunications between edge switches in some embodiments include (1)routing of a packet with an unknown destination address (e.g., unknownMAC address) to the non-leaf switch so that this switch can route thispacket to the appropriate edge switch, (2) routing a multicast orbroadcast packet to the non-leaf switch so that this switch can convertthis packet to a series of unicast packets for routing to the desireddestinations, (3) bridging remote managed networks that are separated byone or more networks, and (4) bridging a managed network with anunmanaged network.

Some embodiments employ one level of non-leaf (non-edge) switches thatconnect to edge switches and in some cases to other non-leaf switches.Other embodiments, on the other hand, employ multiple levels of non-leafswitches, with each level of non-leaf switch after the first levelserving as a mechanism to facilitate communication between lower levelnon-leaf switches and leaf switches. In some embodiments, the non-leafswitches are software switches that are implemented by storing theswitching tables in the memory of a standalone computer instead of anoff-the-shelf switch. In some embodiments, the standalone computer mayalso be executing a hypervisor and one or more virtual machines on topof that hypervisor. Irrespective of the manner by which the leaf andnon-leaf switches are implemented, the NIB of the control system of someembodiments stores switching state information regarding the leaf andnon-leaf switches.

The above discussion relates to the control of edge switches andnon-edge switches by a network control system of some embodiments. Insome embodiments, edge switches and non-edge switches (leaf and non-leafnodes) may be referred to as managed switches. This is because theseswitches are managed by the network control system (as opposed tounmanaged switches, which are not managed by the network control system,in the network) in order to implement logical data path sets through themanaged switches.

In addition to using the NIB to store switching-element data, thevirtualized network-control system of some embodiments also stores otherstorage structures to store data regarding the switching elements of thenetwork. These other storage structures are secondary storage structuresthat supplement the storage functions of the NIB, which is the primarystorage structure of the system while the system operates. In someembodiments, the primary purpose for one or more of the secondarystorage structures is to back up the data in the NIB. In these or otherembodiments, one or more of the secondary storage structures serve apurpose other than backing up the data in the NIB (e.g., for storingdata that is not in the NIB).

In some embodiments, the NIB is stored in system memory (e.g., RAM)while the system operates. This allows for fast access of the NIBrecords. In some embodiments, one or more of the secondary storagestructures, on the other hand, are stored on disks, or othernon-volatile memories, which can be slower to access. Such non-volatiledisks or other non-volatile memories, however, improve the resiliency ofthe system as they allow the data to be stored in a persistent manner.

The system of some embodiments uses multiple types of storages in itspool of secondary storage structures. These different types ofstructures store different types of data, store data in differentmanners, and provide different query interfaces that handle differenttypes of queries. For instance, in some embodiments, the system uses apersistent transactional database (PTD) and a hash table structure. ThePTD in some embodiments is a database that is stored on disk or othernon-volatile memory. In some embodiments, the PTD is a commonlyavailable database, such as MySQL or SQLite. The PTD of some embodimentscan handle complex transactional queries. As a transactional database,the PTD can undo a series of earlier query operations that it hasperformed as part of a transaction when one of the subsequent queryoperations of the transaction fails.

Moreover, some embodiments define a transactional guard processing (TGP)layer before the PTD in order to allow the PTD to execute conditionalsets of database transactions. The TGP layer allows the PTD to avoidunnecessary later database operations when conditions of earlieroperations are not met. The PTD in some embodiments stores an exactreplica of the data that is stored in the NIB, while in otherembodiments it stores only a subset of the data that is stored in theNIB. In some embodiments, some or all of the data in the NIB is storedin the PTD in order to ensure that the NIB data will not be lost in theevent of a crash of the NOS or the NIB.

While the system is running, the hash table in some embodiments is notstored on a disk or other non-volatile memory. Instead, it is a storagestructure that is stored in volatile system memory when the system isrunning. When the system is powered down, the contents of the hash tableare stored on disk. The hash table uses hashed indices that allow it toretrieve records in response to queries. This structure combined withthe hash table's placement in the system's volatile memory allows thetable to be accessed very quickly. To facilitate this quick access, asimplified query interface is used in some embodiments. For instance, insome embodiments, the hash table has just two queries: a Put query forwriting values to the table and a Get query for retrieving values fromthe table. The system of some embodiments uses the hash table to storedata that the NOS needs to retrieve very quickly. Examples of such datainclude network entity status, statistics, state, uptime, linkarrangement, and packet handling information. Furthermore, in someembodiments, the NOS uses the hash tables as a cache to storeinformation that is repeatedly queried, such as flow entries that willbe written to multiple nodes.

Using a single NOS instance to control a network can lead to scaling andreliability issues. As the number of network elements increases, theprocessing power and/or memory capacity that are required by thoseelements will saturate a single node. Some embodiments further improvethe resiliency of the control system by having multiple instances of theNOS running on one or more computers, with each instance of the NOScontaining one or more of the secondary storage structures describedabove. Each instance in some embodiments not only includes a NOSinstance, but also includes a virtualization application instance and/ora control application instance. In some of these embodiments, thecontrol and/or virtualization applications partition the workloadbetween the different instances in order to reduce each instance'scontrol and/or virtualization workload. Also, in some embodiments, themultiple instances of the NOS communicate the information stored intheir secondary storage layers to enable each instance of the NOS tocover for the others in the event of a NOS instance failing. Moreover,some embodiments use the secondary storage layer (i.e., one or more ofthe secondary storages) as a channel for communicating between thedifferent instances.

The distributed, multi-instance control system of some embodimentsmaintains the same switch element data records in the NIB of eachinstance, while in other embodiments, the system allows NIBs ofdifferent instances to store different sets of switch element datarecords. Some embodiments that allow different instances to storedifferent portions of the NIB, divide the NIB into N mutually exclusiveportions and store each NIB portion in one NIB of one of N controllerinstances, where N is an integer value greater than 1. Other embodimentsdivide the NIB into N portions and store different NIB portions indifferent controller instances, but allow some or all of the portions topartially (but not completely) overlap with the other NIB portions.

The hash tables in the distributed control system of some embodimentsform a distributed hash table (DHT), with each hash table serving as aDHT instance. In some embodiments, the DHT instances of all controllerinstances collectively store one set of records that is indexed based onhashed indices for quick access. These records are distributed acrossthe different controller instances to minimize the size of the recordswithin each instance and to allow for the size of the DHT to beincreased by adding other DHT instances. According to this scheme, eachDHT record is not stored in each controller instance. In fact, in someembodiments, each DHT record is stored in at most one controllerinstance. To improve the system's resiliency, some embodiments, however,allow one DHT record to be stored in more than one controller instance,so that in case one instance fails, the DHT records of that failedinstance can be accessed from other instances. Some embodiments do notallow for replication of records across different DHT instances or allowonly a small amount of such records to be replicated because theseembodiments store in the DHT only the type of data that can be quicklyre-generated.

The distributed control system of some embodiments replicates each NIBrecord in the secondary storage layer (e.g., in each PTD instance and/orin the DHT) in order to maintain the records in the NIB in a persistentmanner. For instance, in some embodiments, all the NIB records arestored in the PTD storage layer. In other embodiments, only a portion ofthe NIB data is replicated in the PTD storage layer. For instance, someembodiments store a subset of the NIB records in another one of thesecondary storage records, such as the DHT.

By allowing different NOS instances to store the same or overlapping NIBrecords, and/or secondary storage structure records, the system improvesits overall resiliency by guarding against the loss of data due to thefailure of any NOS or secondary storage structure instance. Forinstance, in some embodiments, the portion of NIB data that isreplicated in the PTD (which is all of the NIB data in some embodimentsor part of the NIB data in other embodiments) is replicated in the NIBsand PTDs of all controller instances, in order to protect againstfailures of individual controller instances (e.g., of an entirecontroller instance or a portion of the controller instance).

In some embodiments, each of the storages of the secondary storage layeruses a different distribution technique to improve the resiliency of amultiple NOS instance system. For instance, as mentioned above, thesystem of some embodiments replicates the PTD across NOS instances sothat every NOS has a full copy of the PTD to enable a failed NOSinstance to quickly reload its PTD from another instance. In someembodiments, the system distributes the DHT fully or with minimaloverlap across multiple controller instances in order to minimize thesize of the DHT instance (e.g., the amount of memory the DHT instanceutilizes) within each instance. This approach also allows the size ofthe DHT to be increased by adding additional DHT instances, and this inturn allows the system to be more scalable.

For some or all of the communications between the distributed instances,the distributed system of some embodiments uses coordination managers(CM) in the controller instances to coordinate activities between thedifferent controllers. Examples of such activities include writing tothe NIB, writing to the PTD, writing to the DHT, controlling theswitching elements, facilitating intra-controller communication relatedto fault tolerance of controller instances, etc.

To distribute the workload and to avoid conflicting operations fromdifferent controller instances, the distributed control system of someembodiments designates one controller instance within the system as themaster of any particular NIB portion (e.g., as the master of a logicaldata path set) and one controller instance within the system as themaster of any given switching element. Even with one master controller,a different controller instance can request changes to different NIBportions and/or to different switching elements controlled by themaster. If allowed, the master instance then effectuates this change andwrites to the desired NIB portion and/or switching element. Otherwise,the master rejects the request.

The preceding Summary is intended to serve as a brief introduction tosome embodiments of the invention. It is not meant to be an introductionor overview of all inventive subject matter disclosed in this document.The Detailed Description that follows and the Drawings that are referredto in the Detailed Description will further describe the embodimentsdescribed in the Summary as well as other embodiments. Accordingly, tounderstand all the embodiments described by this document, a full reviewof the Summary, Detailed Description and the Drawings is needed.Moreover, the claimed subject matters are not to be limited by theillustrative details in the Summary, Detailed Description and theDrawings, but rather are to be defined by the appended claims, becausethe claimed subject matters can be embodied in other specific formswithout departing from the spirit of the subject matters.

BRIEF DESCRIPTION OF THE DRAWINGS

The novel features of the invention are set forth in the appendedclaims. However, for purposes of explanation, several embodiments of theinvention are set forth in the following figures.

FIG. 1 illustrates a virtualized network system of some embodiments ofthe invention.

FIG. 2 conceptually illustrates an example of switch controllerfunctionality.

FIG. 3 conceptually illustrates an example of displaying different NIBviews to different users.

FIG. 4 conceptually illustrates a virtualized system that employsseveral applications above the NOS of some embodiments.

FIG. 5 conceptually illustrates an example of a virtualized system.

FIG. 6 conceptually illustrates the switch infrastructure of amulti-tenant server hosting system.

FIG. 7 conceptually illustrates a virtualized network control system ofsome embodiments that manages the edge switches.

FIG. 8 conceptually illustrates a virtualized system of some embodimentsthat employs secondary storage structures that supplement storageoperations of a NIB.

FIG. 9 conceptually illustrates a multi-instance, distributed networkcontrol system of some embodiments.

FIG. 10 conceptually illustrates an approach of maintaining an entireglobal NIB data structure in each NOS instance according to someembodiments of the invention.

FIG. 11 conceptually illustrates an alternative approach of dividing aglobal NIB into separate portions and storing each of these portions ina different NOS instance according to some embodiments of the invention.

FIG. 12 conceptually illustrates another alternative approach ofdividing a global NIB into overlapping portions and storing each ofthese portions in different NOS instances according to some embodimentsof the invention.

FIG. 13 illustrates an example of specifying a master controllerinstance for a switch in a distributed system according to someembodiments of the invention.

FIG. 14 conceptually illustrates a NIB storage structure of someembodiments.

FIG. 15 conceptually illustrates a portion of a physical network that aNIB of some embodiments represents.

FIG. 16 conceptually illustrates attribute data that entity objects of aNIB contain according to some embodiments of the invention.

FIG. 17 conceptually illustrates relationships of several NIB entityclasses of some embodiments.

FIG. 18 conceptually illustrates a set of NIB entity classes of someembodiments and some of the attributes associated with those NIB entityclasses.

FIG. 19 conceptually illustrates another portion of the same set of NIBentity classes illustrated in FIG. 18 according to some embodiments ofthe invention.

FIG. 20 conceptually illustrates a set of common NIB class functions ofsome embodiments.

FIG. 21 conceptually illustrates a distributed network control system ofsome embodiments.

FIG. 22 conceptually illustrates pushing a NIB change through a PTDstorage layer according to some embodiments of the invention.

FIG. 23 illustrates a range list that is maintained by a CM of someembodiments.

FIG. 24 conceptually illustrates a DHT-identification operation of a CMof some embodiments.

FIG. 25 conceptually illustrates a CM of a controller instance of someembodiments.

FIG. 26 conceptually illustrates a single NOS instance of someembodiments.

FIG. 27 conceptually illustrates a process of some embodiments thatregisters NIB notifications for applications running above a NOS andthat calls these applications upon change of NIB records.

FIG. 28 conceptually illustrates a process of some embodiments that aNIB export module of a set of transfer modules performs.

FIG. 29 illustrates trigger records that are maintained for differentPTD records in a PTD trigger list according to some embodiments of theinvention.

FIG. 30 conceptually illustrates a DHT record trigger that is storedwith a newly created record according to some embodiments of theinvention.

FIG. 31 conceptually illustrates a process of some embodiments that aNIB import module of a set of transfer modules performs.

FIG. 32 conceptually illustrates a data flow diagram that shows thecombined operations of export and import processes illustrated in FIGS.28 and 31 according to some embodiments of the invention.

FIG. 33 conceptually illustrates three processes of some embodiments fordealing with a NIB modification request from an application running ontop of a NOS of a controller instance.

FIG. 34 conceptually illustrates a DHT storage structure of a NOSinstance of some embodiments.

FIG. 35 conceptually illustrates operation of a DHT storage structureaccording to some embodiments of the invention.

FIGS. 36 and 37 illustrate examples of accessing a DHT range list andprocessing triggers.

FIG. 38 conceptually illustrates a process of some embodiments that aDHT query manager performs.

FIG. 39 conceptually illustrates a PTD storage structure of someembodiments.

FIG. 40 conceptually illustrates a NIB/PTD replication process of someembodiments.

FIG. 41 conceptually illustrates a process of some embodiments that aPTD instance performs.

FIG. 42 conceptually illustrates a master update process of someembodiments that a master PTD instance performs.

FIG. 43 conceptually illustrates a data flow diagram that shows a PTDreplication process of some embodiments.

FIG. 44 conceptually illustrates a process of some embodiments that isused to propagate a change in a NIB instance to another NIB instancesthrough a DHT instance.

FIG. 45 conceptually illustrates an electronic system with which someembodiments of the invention are implemented.

DETAILED DESCRIPTION

In the following detailed description of the invention, numerousdetails, examples, and embodiments of the invention are set forth anddescribed. However, it will be clear and apparent to one skilled in theart that the invention is not limited to the embodiments set forth andthat the invention may be practiced without some of the specific detailsand examples discussed.

Some embodiments of the invention provide a method that allows severaldifferent logical data path sets to be specified for several differentusers through one or more shared switching elements without allowing thedifferent users to control or even view each other's switching logic. Insome embodiments, the method provides a set of software tools thatallows the system to accept logical data path sets from users and toconfigure the switching elements to implement these logical data pathsets. These software tools allow the method to virtualize control of theshared switching elements and the network that is defined by theconnections between these shared switching elements, in a manner thatprevents the different users from viewing or controlling each other'slogical data path sets while sharing the same switching elements.

In some embodiments, one of the software tools that the method providesthat allows it to virtualize control of a set of switching elements(i.e., to enable the method to allow several users to share the sameswitching elements without viewing or controlling each other's logicaldata path sets) is an intermediate data storage structure that (1)stores the state of the network, (2) receives modifications to differentparts of the network from different users, and (3), in some embodiments,provides different views of the state of the network to different users.For instance, in some embodiments, the intermediate data storagestructure is a network information base (NIB) data structure that storesthe state of the network that is defined by one or more switchingelements. In some embodiments, the NIB also stores the logicalconfiguration and the logical state for each user specified logical datapath set. In these embodiments, the information in the NIB thatrepresents the state of the actual switching elements accounts for onlya subset of the total information stored in the NIB.

The method uses the NIB data structure to read the state of the networkand to write modifications to the state of the network. When the datastructure is modified in order to effectuate a change in the switchinglogic of a switching element, the method propagates the modification tothe switching element.

In some embodiments, the method is employed by a virtualized networkcontrol system that (1) allows user to specify different logical datapath sets, (2) maps these logical data path sets to a set of switchingelements managed by the control system. In some embodiments, theswitching elements include virtual or physical network switches,software switches (e.g., Open vSwitch), routers, and/or other switchingelements, as well as any other network elements (such as load balancers,etc.) that establish connections between these switches, routers, and/orother switching elements. Such switching elements (e.g., physicalswitching elements, such as physical switches or routers) areimplemented as software switches in some embodiments. Software switchesare switches that are implemented by storing the switching tables in thememory of a standalone computer instead of an off the shelf switch. Insome embodiments, the standalone computer may also be executing in somecases a hypervisor and one or more virtual machines on top of thathypervisor

These switches are referred to below as managed switching elements ormanaged forwarding elements as they are managed by the network controlsystem in order to implement the logical data path sets. In someembodiments described below, the control system manages these switchingelements by pushing physical control plane data to them, as furtherdescribed below. Switching elements generally receive data (e.g., a datapacket) and perform one or more processing operations on the data, suchas dropping a received data packet, passing a packet that is receivedfrom one source device to another destination device, processing thepacket and then passing it a destination device, etc. In someembodiments, the physical control plane data that is pushed to aswitching element is converted by the switching element (e.g., by ageneral purpose processor of the switching element) to physicalforwarding plane data that specify how the switching element (e.g., howa specialized switching circuit of the switching element) process datapackets that it receives.

The virtualized control system of some embodiments includes (1) anetwork operating system (NOS) that creates and maintains the NIBstorage structure, and (2) one or more applications that run on top ofthe NOS to specify control logic for reading values from and writingvalues to the NIB. The NIB of some of these embodiments serves as acommunication channel between the different controller instances and, insome embodiments, a communication channel between different processinglayers of a controller instance.

Several examples of such systems are described below in Section I.Section II then describes the NIB data structure of some embodiments ofthe invention. Section III then describes a distributed, multi-instancearchitecture of some embodiments in which multiple stacks of the NOS andthe control applications are used to control the shared switchingelements within a network in a scalable and resilient manner. Section IVthen provides a more detailed example of the NOS of some embodiments ofthe invention. Section V then describes several other data storagestructures that are used by the NOS of some embodiments of theinvention. Finally, Section VI describes the computer systems andprocesses used to implement some embodiments of the invention.

I. Virtualized Control System

FIG. 1 illustrates a virtualized network system 100 of some embodimentsof the invention. This system allows multiple users to create andcontrol multiple different sets of logical data paths on a shared set ofnetwork infrastructure switching elements (referred to below as“switching elements”). In allowing a user to create and control theuser's set of logical data paths (i.e., the user's switching logic), thesystem does not allow the user to have direct access to another user'sset of logical data paths in order to view or modify the other user'sswitching logic. However, the system does allow different users to passpackets through their virtualized switching logic to each other if theusers desire such communication.

As shown in FIG. 1, the system 100 includes one or more switchingelements 105, a network operating system 110, a network information base115, and one or more applications 120. The switching elements include Nswitching elements (where N is a number equal to 1 or greater) that formthe network infrastructure switching elements of the system 100. In someembodiments, the network infrastructure switching elements includevirtual or physical network switches, software switches (e.g., OpenvSwitch), routers, and/or other switching elements, as well as any othernetwork elements (such as load balancers, etc.) that establishconnections between these switches, routers, and/or other switchingelements. All such network infrastructure switching elements arereferred to below as switching elements or forwarding elements.

The virtual or physical switching elements 105 typically include controlswitching logic 125 and forwarding switching logic 130. In someembodiments, a switch's control logic 125 specifies (1) the rules thatare to be applied to incoming packets, (2) the packets that will bediscarded, and (3) the packet processing methods that will be applied toincoming packets. The virtual or physical switching elements 105 use thecontrol logic 125 to populate tables governing the forwarding logic 130.The forwarding logic 130 performs lookup operations on incoming packetsand forwards the incoming packets to destination addresses.

As further shown in FIG. 1, the system 100 includes one or moreapplications 120 through which switching logic (i.e., sets of logicaldata paths) is specified for one or more users (e.g., by one or moreadministrators or users). The network operating system (NOS) 110 servesas a communication interface between (1) the switching elements 105 thatperform the physical switching for any one user, and (2) theapplications 120 that are used to specify switching logic for the users.In this manner, the application logic determines the desired networkbehavior while the NOS merely provides the primitives needed to accessthe appropriate network state. In some embodiments, the NOS 110 providesa set of Application Programming Interfaces (API) that provides theapplications 120 programmatic access to the network switching elements105 (e.g., access to read and write the configuration of networkswitching elements). In some embodiments, this API set is data-centricand is designed around a view of the switching infrastructure, allowingcontrol applications to read the state from and write the state to anyelement in the network.

To provide the applications 120 programmatic access to the switchingelements, the NOS 110 itself needs to be able to control the switchingelements 105. The NOS uses different techniques in different embodimentsto control the switching elements. In some embodiments, the NOS canspecify both control and forwarding switching logic 125 and 130 of theswitching elements. In other embodiments, the NOS 110 controls only thecontrol switching logic 125 of the switching elements, as shown inFIG. 1. In some of these embodiments, the NOS 110 manages the controlswitching logic 125 of a switching element through a commonly knownswitch-access interface that specifies a set of APIs for allowing anexternal application (such as a network operating system) to control thecontrol plane functionality of a switching element. Two examples of suchknown switch-access interfaces are the OpenFlow interface and the OpenVirtual Switch interface, which are respectively described in thefollowing two papers: McKeown, N. (2008). OpenFlow: Enabling Innovationin Campus Networks (which can be retrieved fromhttp://www.openflowswitch.org//documents/openflow-wp-latest.pdf), andPettit, J. (2010). Virtual Switching in an Era of Advanced Edges (whichcan be retrieved from http://openvswitch.org/papers/dccaves2010.pdf).These two papers are incorporated herein by reference.

FIG. 1 conceptually illustrates the use of switch-access APIs throughthe depiction of dashed boxes 135 around the control switching logic125. Through these APIs, the NOS can read and write entries in thecontrol plane flow tables. The NOS' connectivity to the switchingelements' control plane resources (e.g., the control plane tables) isimplemented in-band (i.e., with the network traffic controlled by NOS)in some embodiments, while it is implemented out-of-band (i.e., over aseparate physical network) in other embodiments. There are only minimalrequirements for the chosen mechanism beyond convergence on failure andbasic connectivity to the NOS, and thus, when using a separate network,standard IGP protocols such as IS-IS or OSPF are sufficient.

In order to define the control switching logic 125 for physicalswitching elements, the NOS of some embodiments uses the Open VirtualSwitch protocol to create one or more control tables within the controlplane of a switch element. The control plane is typically created andexecuted by a general purpose CPU of the switching element. Once thesystem has created the control table(s), the system then writes flowentries to the control table(s) using the OpenFlow protocol. The generalpurpose CPU of the physical switching element uses its internal logic toconvert entries written to the control table(s) to populate one or moreforwarding tables in the forwarding plane of the switch element. Theforwarding tables are created and executed typically by a specializedswitching chip of the switching element. Through its execution of theflow entries within the forwarding tables, the switching chip of theswitching element can process and route packets of data that itreceives.

To enable the programmatic access of the applications 120 to theswitching elements 105, the NOS also creates the network informationbase (NIB) 115. The NIB is a data structure in which the NOS stores acopy of the switch-element states tracked by the NOS. The NIB of someembodiments is a graph of all physical or virtual switch elements andtheir interconnections within a physical network topology and theirforwarding tables. For instance, in some embodiments, each switchingelement within the network infrastructure is represented by one or moredata objects in the NIB. However, in other embodiments, the NIB storesstate information about only some of the switching elements. Forexample, as further described below, the NIB in some embodiments onlykeeps track of switching elements at the edge of a networkinfrastructure. In yet other embodiments, the NIB stores stateinformation about edge switching elements in a network as well as somenon-edge switching elements in the network that facilitate communicationbetween the edge switching elements. In some embodiments, the NIB alsostores the logical configuration and the logical state for each userspecified logical data path set. In these embodiments, the informationin the NIB that represents the state of the actual switching elementsaccounts for only a subset of the total information stored in the NIB.

In some embodiments, the NIB 115 is the heart of the NOS control modelin the virtualized network system 100. Under one approach, applicationscontrol the network by reading from and writing to the NIB.Specifically, in some embodiments, the application control logic can (1)read the current state associated with network entity objects in theNIB, (2) alter the network state by operating on these objects, and (3)register for notifications of state changes to these objects. Under thismodel, when an application 120 needs to modify a record in a table(e.g., a control plane flow table) of a switching element 105, theapplication 120 first uses the NOS' APIs to write to one or more objectsin the NIB that represent the table in the NIB. The NOS then, acting asthe switching element's controller, propagates this change to theswitching element's table.

FIG. 2 presents one example that illustrates this switch controllerfunctionality of the NOS 110. In particular, this figure illustrates infour stages the modification of a record (e.g., a flow table record) ina switch 205 by an application 215 and a NOS 210. In this example, theswitch 205 has two switch logic records 230 and 235. As shown in stageone of FIG. 2, a NIB 240 stores two records 220 and 225 that correspondto the two switch logic records 230 and 235 of the switch. In the secondstage, the application uses the NOS' APIs to write three new values d,e, and f in one of the records 220 in the NIB to replace three previousvalues a, b, and c.

Next, in the third stage, the NOS uses the set of switch-access APIs towrite a new set of values into the switch. In some embodiments, the NIBperforms a translation operation that modifies the format of the recordsbefore writing these records into the NIB. This operation is pictoriallyillustrated in FIG. 2 by showing the values d, e, and f translated intod′, e′, and f′, and the writing of these new values into the switch 205.Alternatively, in some embodiments, one or more sets of values are keptidentically in the NIB and the switching element, which thereby causesthe NOS 210 to write the NIB values directly to the switch 205unchanged.

In yet other embodiments, the NOS' translation operation might modifythe set of values in the NIB (e.g., the values d, e, and f) into adifferent set of values with fewer values (e.g., values x and y, where xand y might be a subset of d, e, and f, or completely different) oradditional values (e.g., the w, x, y, and z, where w, x, y, and z mightbe a super set of all or some of d, e, and f, or completely different).The NOS in these embodiments would then write this modified set ofvalues (e.g., values x and y, or values w, x, y and z into the switchingelement).

The fourth stage finally shows the switch 205 after the old values a, b,and c have been replaced in the switch control record 230 with thevalues d′, e′, and f′. Again, in the example shown in FIG. 2, the NOS ofsome embodiments propagates NIB records to the switches as modifiedversions of the records were written to the NIB. In other embodiments,the NOS applies processing (e.g., data transformation) to the NIBrecords before the NOS propagates the NIB records to the switches, andsuch processing changes the format, content and quantity of data writtento the switches.

A. Different NIB Views

In some embodiments, the virtualized system 100 of FIG. 1 providesdifferent views of the NIB to different users in order (1) to ensurethat different users do not have direct view and control over eachother's switching logic and (2) to provide each user with a view of theswitching logic at an abstraction level that is desired by the user. Forinstance, in some embodiments, the NIB is a hierarchical data structurethat represents different attributes of different switching elements aselements (e.g., different nodes) in a hierarchy. The NIB in some ofthese embodiments is a multi-layer hierarchical data structure, witheach layer having a hierarchical structure and one or more elements(e.g., nodes) on each layer linked to one or more elements (e.g., nodes)on another layer. In some embodiments, the lowest layer elementscorrespond to the actual switching elements and their attributes, whileeach of the higher layer elements serve as abstractions of the actualswitching elements and their attributes. As further described below,some of these higher layer elements are used in some embodiments to showdifferent abstract switching elements and/or switching elementattributes to different users in a virtualized control system. In otherwords, the NOS of some embodiments generates the multi-layer,hierarchical NIB data structure, and the NOS or an application that runson top of the NOS shows different users different views of differentparts of the hierarchical levels and/or layers, in order to provide thedifferent users with virtualized access to the shared switching elementsand network.

FIG. 3 illustrates an example of displaying different NIB views todifferent users. Specifically, this figure illustrates a virtualizedswitching system 300 that includes several switching elements that areshared by two users. The system 300 is similar to the system 100 of FIG.1, except that the system 300 is shown to include four switchingelements 105 a-105 d and one application 120, as opposed to the moregeneral case of N switching elements 105 and M (where M is a numbergreater than or equal to 1) applications in FIG. 1. The number ofswitching elements and the use of one application are purely exemplary.Other embodiments might use more or fewer switching elements andapplications. For instance, instead of having the two users interfacewith the same application, other embodiments provide two applications tointerface with the two users.

In system 300, the NIB 115 stores sets of data records for each of theswitching elements 105 a-105 d. In some embodiments, a systemadministrator can access these four sets of data through an application120 that interfaces with the NOS. However, other users that are notsystem administrators do not have access to all of the four sets ofrecords in the NIB, because some switch logic records in the NIB mightrelate to the logical switching configuration of other users.

Instead, each non-system-administrator user can only view and modify theswitching element records in the NIB that relate to the logicalswitching configuration of the user. FIG. 3 illustrates this limitedview by showing the application 120 providing a first layered NIB view345 to a first user 355 and a second layered NIB view 350 to a seconduser 360. The first layered NIB view 345 shows the first user datarecords regarding the configuration of the shared switching elements 105a-105 d for implementing the first user's switching logic and the stateof this configuration. The second layered NIB view 350 shows the seconduser data records regarding the configuration of the shared switchingelements 105 a-105 d for implementing the second user's switching logicand the state of this configuration. In viewing their own logicalswitching configuration, neither user can view the other user's logicalswitching configuration.

In some embodiments, each user's NIB view is a higher level NIB viewthat represents an abstraction of the lowest level NIB view thatcorrelates to the actual network infrastructure that is formed by theswitching elements 105 a-105 d. For instance, as shown in FIG. 3, thefirst user's layered NIB view 345 shows two switches that implement thefirst user's logical switching configuration, while the second user'slayered NIB view 350 shows one switch that implements the second user'slogical switching configuration. This could be the case even if eitheruser's switching configuration uses all four switching elements 105a-105 d. However, under this approach, the first user perceives that hiscomputing devices are interconnected by two switching elements, whilethe second user perceives that her computing devices are interconnectedby one switching element.

The first layered NIB view is a reflection of a first set of datarecords 365 that the application 120 allows the first user to accessfrom the NIB, while the second layered NIB view is a representation of asecond set of data records 370 that the application 120 allows thesecond user to access from the NIB. In some embodiments, the application120 retrieves the two sets of data records 365 and 370 from the NIB andmaintains these records locally, as shown in FIG. 3. In otherembodiments, however, the application does not maintain these two setsof data records locally. Instead, in these other embodiments, theapplication simply provides the users with an interface to access thelimited set of first and second data records from the NIB 115. Also, inother embodiments, the system 300 does not provide switching elementabstractions in the higher layered NIB views 345 and 350 that itprovides to the users. Rather, it simply provides views to the limitedfirst and second set of data records 365 and 370 from the NIB.

Irrespective of whether the application maintains a local copy of thefirst and second data records or whether the application only providesthe switching element abstractions in its higher layered NIB views, theapplication 120 serves as an interface through which each user can viewand modify the user's logical switching configuration, without beingable to view or modify the other user's logical switching configuration.Through the set of APIs provided by the NOS 110, the application 120propagates to the NIB 115 changes that a user makes to the logicalswitching configuration view that the user receives from theapplication. The propagation of these changes entails the transferring,and in some cases of some embodiments, the transformation, of the highlevel data entered by a user for a higher level NIB view to lower leveldata that is to be written to lower level NIB data that is stored by theNOS.

In the system 300 of FIG. 3, the application 120 can perform severaldifferent sets of operations in several different embodiments of theinvention, as apparent from the discussion above. Examples of suchoperations include providing an interface to a user to access NIB dataregarding the user's logical switching configuration, providingdifferent layered NIB views to different users, providing control logicfor modifying the provided NIB data, providing logic for propagatingreceived modifications to the NIB structure stored by the NOS, etc.

The system of some embodiments embeds all such operations in the NOS 110instead of in the application 120 operating on top of the NOS.Alternatively, in other embodiments the system separates theseoperations into several applications that operate above the NOS. FIG. 4illustrates a virtualized system that employs several such applications.Specifically, this figure illustrates a virtualized system 400 that issimilar to the virtualized system 300 of FIG. 3, except that theoperations of the application 120 in the system 300 have been dividedinto two sets of operations, one that is performed by a controlapplication 420 and one that is performed by a virtualizationapplication 425.

In some embodiments, the virtualization application 425 interfaces withthe NOS 110 to provide different views of different NIB records todifferent users through the control application 420. The controlapplication 420 also provides the control logic for allowing a user tospecify different operations with respect to the limited NIBrecords/views provided by the virtualization application. Examples ofsuch operations can be read operations from the NIB or write operationsto the NIB. The virtualization application then translates theseoperations into operations that access the NIB. In translating theseoperations, the virtualization application in some embodiments alsotransfers and/or transforms the data that are expressed in terms of thehigher level NIB records/views to data that are expressed in terms oflower level NIB records.

Even though FIG. 4 shows just one control application and onevirtualization application being used for the two users, the system 400in other embodiments employs two control applications and/or twovirtualization applications for the two different users. Similarly, eventhough several of the above-described figures show one or moreapplications operating on a single NOS instance, other embodimentsprovide several different NOS instances on top of each of which one ormore applications can execute. Several such embodiments will be furtherdescribed below.

B. Type I versus Type II Virtualized System

Different embodiments of the invention use different types ofvirtualization applications. One type of virtualization applicationexposes the definition of different elements at different hierarchicallevels in the NIB and the definition of the links between these elementsto the control applications that run on top of the NOS and thevirtualization application in order to allow the control application todefine its operations by reference to these definitions. For instance,in some embodiments, the developer of the control application running ontop of the virtualization application uses these definitions toenumerate how the application is to map the logical data path sets ofthe user to the physical switching elements of the control system. Underthis approach, the developer would have to enumerate all differentscenarios that the control system may encounter and the mappingoperation of the application for each scenario. This type ofvirtualization is referred to below as Type I network virtualization.

Another type of network virtualization, which is referred to below asType II network virtualization, does not require the applicationdevelopers to have intimate knowledge of the NIB elements and the linksin the NIB between these elements. Instead, this type of virtualizationallows the application to simply provide user specified switchingelement attributes in the form of one or more tables, which are thenmapped to NIB records by a table mapping engine. In other words, theType II virtualized system of some embodiments accepts switching elementconfigurations (e.g., access control list table configurations, L2 tableconfigurations, L3 table configurations, etc.) that the user defineswithout referencing any operational state of the switching elements in aparticular network configuration. It then maps the user-specifiedswitching element configurations to the switching element configurationsstored in the NIB.

FIG. 5 illustrates an example of such a Type II virtualized system. Likethe virtualized system 300 of FIG. 3 and the virtualized system 400 ofFIG. 4, the virtualized system 500 in this example is shown to includeone NOS 110 and four switching elements 105 a-105 d. Also, like thevirtualized system 400, the system 500 includes a control application520 and a virtualization application 525 that run on top of the NOS 110.In some embodiments, the control application 520 allows a user tospecify and populate logical data path sets, while the virtualizationapplication 525 implements the specified logical data path sets bymapping the logical data path sets to the physical switchinginfrastructure.

More specifically, the control application 520 allows (1) a user tospecify abstract switching element configurations, which thevirtualization application 525 then maps to the data records in the NIB,and (2) the user to view the state of the abstract switching elementconfigurations. In some embodiments, the control application 520 uses anetwork template library 530 to allow a user to specify a set of logicaldata paths by specifying one or more switch element attributes (i.e.,one or more switch element configurations). In the example shown in FIG.5, the network template library includes several types of tables that aswitching element may include. In this example, the user has interfacedwith the control application 520 to specify an L2 table 535, an L3 table540, and an access control list (ACL) table 545. These three tablespecify a logical data path set 550 for the user. In some embodiments alogical data path set defines a logical switching element (also referredto as a logical switch). A logical switch in some embodiments is asimulated/conceptual switch that is defined (e.g., by a user) toconceptually describe a set of switching behaviors for a switch. Thecontrol application of some embodiments (such as the control application520 illustrated in FIG. 5) implements this logical switch across one ormore physical switches, which as mentioned above may be hardwareswitches, software switches, or virtual switches defined on top of otherswitches.

In specifying these tables, the user simply specifies desired switchconfiguration records for one or more abstract, logical switchingelements. When specifying these records, the user of the system 500 doesnot have any understanding of the switching elements 105 a-105 demployed by the system nor any data regarding these switching elementsfrom the NIB 115. The only switch-element specific data that the user ofthe system 500 receives is the data from the network template library,which specifies the types of network elements that the user can definein the abstract, which the system can then process.

While the example in FIG. 5 shows the user specifying an ACL table, oneof ordinary skill in the art will realize that the system of someembodiments does not provide such specific switch table attributes inthe library 530. For instance, in some embodiments, the switch-elementabstractions provided by the library 530 are generic switch tables anddo not relate to any specific switching element table, component and/orarchitecture. In these embodiments, the control application 520 enablesthe user to create generic switch configurations for a generic set ofone or more tables. Accordingly, the abstraction level of theswitch-element attributes that the control application 520 allows theuser to create is different in different embodiments.

Irrespective of the abstraction level of the switch-element attributesproduced through the control logic application, the virtualizationapplication 525 performs a mapping operation that maps the specifiedswitch-element attributes (e.g., the specific or generic switch tablerecords) to records in the NIB. In some embodiments, the virtualizationapplication translates control application input into one or more NIBrecords 585 that the virtualization application then writes to the NIBthrough the API set provided by the NOS. From the NIB, these records arethen subsequently transferred to the switching infrastructure throughthe operation of the NOS. In some embodiments, the NIB stores both thelogical data path set input received through the control application aswell as the NIB records that are produced by the virtualizationapplication.

In some embodiments, the control application can receive switchinginfrastructure data from the NIB. In response to this data, the controlapplication may modify record(s) associated with one or more logicaldata path sets (LDPS). Any such modified LDPS record would then betranslated to one or more physical switching infrastructure records bythe virtualization application, which might then be transferred to thephysical switching infrastructure by the NOS.

To map the control application input to physical switchinginfrastructure attributes for storage in the NIB, the virtualizationapplication of some embodiments uses a database table mapping engine tomap input tables, which are created from (1) the control-applicationspecified input tables, and (2) a set of properties associated withswitching elements used by the system, to output tables. The content ofthese output tables are then transferred to the NIB elements.

Some embodiments use a variation of the datalog database language toallow application developers to create the table mapping engine for thevirtualization application, and thereby to specify the manner by whichthe virtualization application maps logical data path sets to thecontrolled physical switching infrastructure. This variation of thedatalog database language is referred to below as nLog. Like datalog,nLog provides a few declaratory rules and operators that allow adeveloper to specify different operations that are to be performed uponthe occurrence of different events. In some embodiments, nLog provides alimited subset of the operators that are provided by datalog in order toincrease the operational speed of nLog. For instance, in someembodiments, nLog only allows the AND operator to be used in any of thedeclaratory rules.

The declaratory rules and operations that are specified through nLog arethen compiled into a much larger set of rules by an nLog compiler. Insome embodiments, this compiler translates each rule that is meant toaddress an event into several sets of database join operations.Collectively the larger set of rules forms the table-mapping rulesengine that is referred to below as the nLog engine. The nLog mappingtechniques of some embodiments are further described in U.S. PatentApplication 13/177,533, now issued as U.S. Pat. No. 8,817,620, entitled“Network Virtualization Apparatus and Method,” filed concurrently withthis Application.

In some embodiments, the nLog virtualization engine provides feedback(e.g., from one or more of the output tables or from NIB records thatare updated to reflect values stored in the output tables) to the userin order to provide the user with state information about the logicaldata path set that he or she created. In this manner, the updates thatthe user gets are expressed in terms of the logical space that the userunderstands and not in terms of the underlying switching element states,which the user does not understand.

The use of nLog serves as a significant distinction between Type Ivirtualized control systems and Type II virtualized control systems,even for Type II systems that store user specified logical data pathsets in the NIB. This is because nLog provides a machine-generated rulesengine that addresses the mapping between the logical and physicaldomains in a more robust, comprehensive manner than the hand-codedapproach used for Type I virtualized control systems. In the Type Icontrol systems, the application developers need to have a detailedunderstanding of the NIB structure and need to use this detailedunderstanding to write code that addresses all possible conditions thatthe control system would encounter at runtime. On the other hand, inType II control systems, the application developers only need to produceapplications that express the user-specified logical data path sets interms of one or more tables, which are then automatically mapped tooutput tables whose contents are in turn transferred to the NIB. Thisapproach allows the Type II virtualized systems to forego maintainingthe data regarding the logical data path sets in the NIB. However, someembodiments maintain this data in the NIB in order to distribute thisdata among other NOS instances, as further described below.

In some embodiments, the system 500 propagates instructions to control aset of the switching elements 105 a-105 d through the controlapplication 520, the virtualization application 525, and the NOS 110.Specifically, in some embodiment, the control application 520, thevirtualization application 525, and the NOS 110 collectively translateand propagate control plane data through the three layers to a set ofthe switching elements 105 a-105 d.

The control application 520 of some embodiments has two logical planesthat can be used to express the input to and output from thisapplication. In some embodiments, the first logical plane is a logicalcontrol plane that includes a collection of higher-level constructs thatallow the control application 520 and its users to define a logicalplane for a logical switching element by specifying one or more logicaldata path sets for a user. The second logical plane in some embodimentsis the logical forwarding plane, which represents the logical data pathsets of the users in a format that can be processed by thevirtualization application 525. In this manner, the two logical planesare logical space analogs of physical control and forwarding planes thatare typically found in a typical managed switch.

In some embodiments, the control application 520 defines and exposes thelogical control plane constructs with which the application itself orusers of the application specifies different logical data path sets. Forinstance, in some embodiments, the logical control plane data 520includes the logical ACL table 545, the logical L2 table 535, and thelogical L3 table 540. Some of this data can be specified by the user,while other such data are generated by the control application. In someembodiments, the control application 520 generates and/or specifies suchdata in response to certain changes to the NIB (which indicate changesto the switching elements 105 a-105 d and the managed data path sets)that the control application 520 detects.

In some embodiments, the logical control plane data (i.e., the LDPS data550 that is expressed in terms of the control plane constructs) can beinitially specified without consideration of current operational datafrom the switching elements 105 a-105 d and without consideration of themanner by which this control plane data will be translated to physicalcontrol plane data. For instance, the logical control plane data mightspecify control data for one logical switch that connects fivecomputers, even though this control plane data might later be translatedto physical control data for three of the switching elements 105 a-105 dthat implement the desired switching between the five computers.

The control application 520 of some embodiments includes a set ofmodules (not shown) for converting any logical data path set within thelogical control plane to a logical data path set in the logicalforwarding plane of the control application 520. Some embodiments mayexpress the logical data path set in the logical forwarding plane of thecontrol application 520 as a set of forwarding tables (e.g., the L2table 535 and L3 table 540). The conversion process of some embodimentsincludes the control application 520 populating logical data path tables(e.g., logical forwarding tables) that are created by the virtualizationapplication 525 with logical data path sets. In some embodiments, thecontrol application 520 uses an nLog table mapping engine to performthis conversion. The control application's use of the nLog table mappingengine to perform this conversion is further described in U.S. patentapplication No. 13/177,532, now issued as U.S. Pat. No. 8,743,888,entitled “Network Control Apparatus and Method”, filed concurrently withthis application.

The virtualization application 525 of some embodiments also has twoplanes of data, a logical forwarding plane and a physical control plane.The logical forwarding plane is identical or similar to the logicalforwarding plane produced by the control application 520. In someembodiments, the logical forwarding plane of the virtualizationapplication 525 includes one or more logical data path sets of one ormore users. The logical forwarding plane of the virtualizationapplication 525 in some embodiments includes logical forwarding data forone or more logical data path sets of one or more users. Some of thisdata is pushed directly or indirectly to the logical forwarding plane ofthe virtualization application 525 by the control application 520, whileother such data are pushed to the logical forwarding plane of thevirtualization application 525 by the virtualization application 525detecting events in the NIB.

The physical control plane of the virtualization application 525includes one or more physical data path sets of one or more users. Someembodiments of the virtualization application 525 include a set ofmodules (not shown) for converting any LDPS within the logicalforwarding plane of the virtualization application 525 to a physicaldata path set in the physical control plane of the virtualizationapplication 525. In some embodiments, the virtualization application 525uses the nLog table mapping engine to perform this conversion. Thevirtualization application 525 also includes a set of modules (notshown) for pushing the control plane data from the physical controlplane of the virtualization application 525 into the NIB of the NOS 110.

From the NIB, the physical control plane data is later pushed into a setof the switching elements 105 a-105 d (e.g., switching elements 105 aand 105 c). In some embodiments, the physical control plane data ispushed to each of the set of the switching elements 105 a-105 d by thecontroller instance that is the master of the switching element. In somecases, the master controller instance of the switching element is thesame controller instance that converted the logical control plane datato the logical forwarding plane data and the logical forwarding planedata to the physical control plane data. In other cases, the mastercontroller instance of the switching element is not the same controllerinstance that converted the logical control plane data to the logicalforwarding plane data and the logical forwarding plane data to thephysical control plane data. The set of the switching elements 105 a-105d then converts this physical control plane data to physical forwardingplane data that specifies the forwarding behavior of the set of theswitching elements 105 a-105 d.

In some embodiments, the physical control plane data that is propagatedto the set of the switching elements 105 a-105 d allows the set of theswitching elements 105 a-105 d to perform the logical data processing ondata packets that it processes in order to effectuate the processing ofthe logical data path sets specified by the control application 520. Insome such embodiments, physical control planes include control planedata for operating in the physical domain and control plane data foroperating in the logical domain. In other words, the physical controlplanes of these embodiments include control plane data for processingnetwork data (e.g., packets) through switching elements to implementphysical switching and control plane data for processing network datathrough switching elements in order to implement the logical switching.In this manner, the physical control plane facilitates implementinglogical switches across the switching elements. The use of thepropagated physical control plane to implement logical data processingin the switching elements is further described in U.S. patentapplication No. 13/177,535, now issued as U.S. Pat. No. 8,750,164,entitled “Hierarchical Managed Switch Architecture”, filed concurrentlywith this Application.

In addition to pushing physical control plane data to the NIB 115, thecontrol and virtualization applications 520 and 525 also store logicalcontrol plane data and logical forwarding plane data in the NIB 115.These embodiments store such data in the NIB 115 for a variety ofreasons. For instance, in some embodiments, the NIB 115 serves as amedium for communications between different controller instances, andthe storage of such data in the NIB 115 facilitates the relaying of suchdata across different controller instances.

The NIB 115 in some embodiments serves as a hub for all communicationsamong the control application 520, the virtualization application 525,and the NOS 110. For instance, the control application 520 may store inthe NIB logical data path sets in the logical forwarding plane that havebeen converted from logical data path sets in the logical control plane.The virtualization application 525 may retrieve from the NIB theconverted logical data path sets in the logical forwarding plane andthen convert the logical data path sets to physical data path sets inthe physical control plane of the virtualization application 525. Thus,the NIB of some embodiments serves as a medium for communication betweenthe different processing layers. Also, the NIB 115 in these embodimentsstores logical control plane data and logical forwarding plane data aswell as physical control plane data.

The above description describes a control data pipeline through threeprocessing layers to a set of the switching elements 105 a-105 d.However, in some embodiments, the control data pipeline may have twoprocessing layers instead of three with the upper layer being a singleapplication that performs the functionalities of both the controlapplication 520 and the virtualization application 525. For example, asingle virtualization application (also called a network hypervisor) mayreplace these the control application 520 and the virtualizationapplication 525 in some embodiments. In such embodiments, the controlapplication 520 would form the front end of this network hypervisor, andwould create and populate the logical data path sets. The virtualizationapplication 525 in these embodiments would form the back end of thenetwork hypervisor, and would convert the logical data path sets tophysical data path sets that are defined in the physical control plane.

In some embodiments, the different processing layers are implemented ona single computing device. Referring to FIG. 5 as an example, some suchembodiments may execute the control application 520, and virtualizationapplication 525, and the NOS 110 on a single computing device. However,some embodiments may execute the different processing layers ondifferent computing devices. For instance, the control application 520,and virtualization application 525, and the NOS 110 may each be executedon separate computing devices. Other embodiments may execute any numberof processing layers on any number of different computing devices.

C. Edge and Non-Edge Switch Controls

As mentioned above, the NIB in some embodiments stores data regardingeach switching element within the network infrastructure of a system,while in other embodiments, the NIB stores state information about onlyswitching elements at the edge of a network infrastructure. FIGS. 6 and7 illustrate an example that differentiates the two differingapproaches. Specifically, FIG. 6 illustrates the switch infrastructureof a multi-tenant server hosting system. In this system, six switchingelements are employed to interconnect six computing devices of two usersA and B. Four of these switches 605-620 are edge switches that havedirect connections with the computing devices 635-660 of the users A andB, while two of the switches 625 and 630 are interior switches (i.e.,non-edge switches) that interconnect the edge switches and connect toeach other.

FIG. 7 illustrates a virtualized network control system 700 that managesthe edge switches 605-620. As shown in this figure, the system 700includes a NOS 110 that creates and maintains a NIB 115, which containsdata records regarding only the four edge switching elements 605-620. Inaddition, the applications 705 running on top of the NOS 110 allow theusers A and B to modify their switch element configurations for the edgeswitches that they use. The NOS then propagates these modifications ifneeded to the edge switching elements. Specifically, in this example,two edge switches 605 and 620 are used by computing devices of bothusers A and B, while edge switch 610 is only used by the computingdevice 645 of the user A and edge switch 615 is only used by thecomputing device 650 of the user B. Accordingly, FIG. 7 illustrates theNOS modifying user A and user B records in switches 605 and 620, butonly updating user A records in switch element 610 and user B records inswitch element 615.

The system of some embodiments only controls edge switches (i.e., onlymaintains data in the NIB regarding edge switches) for several reasons.Controlling edge switches provides the system with a sufficientmechanism for maintaining isolation between computing devices, which isneeded, as opposed to maintaining isolation between all switch elements,which is not needed. The interior switches forward between switchingelements. The edge switches forward between computing devices and othernetwork elements. Thus, the system can maintain user isolation simply bycontrolling the edge switch because the edge switch is the last switchin line to forward packets to a host.

Controlling only edge switches also allows the system to be deployedindependent of concerns about the hardware vendor of the non-edgeswitches, because deploying at the edge allows the edge switches totreat the internal nodes of the network as simply a collection ofelements that moves packets without considering the hardware makeup ofthese internal nodes. Also, controlling only edge switches makesdistributing switching logic computationally easier. Controlling onlyedge switches also enables non-disruptive deployment of the systembecause edge-switching solutions can be added as top of rack switcheswithout disrupting the configuration of the non-edge switches.

In addition to controlling edge switches, the network control system ofsome embodiments also utilizes and controls non-edge switches that areinserted in the switch network hierarchy to simplify and/or facilitatethe operation of the controlled edge switches. For instance, in someembodiments, the control system requires the switches that it controlsto be interconnected in a hierarchical switching architecture that hasseveral edge switches as the leaf nodes in this switching architectureand one or more non-edge switches as the non-leaf nodes in thisarchitecture. In some such embodiments, each edge switch connects to oneor more of the non-leaf switches, and uses such non-leaf switches tofacilitate its communication with other edge switches. Examples offunctions that a non-leaf switch of some embodiments may provide tofacilitate such communications between edge switches in some embodimentsinclude (1) routing of a packet with an unknown destination address(e.g., unknown MAC address) to the non-leaf switch so that this switchcan route this packet to the appropriate edge switch, (2) routing amulticast or broadcast packet to the non-leaf switch so that this switchcan convert this packet to a series of unicast packets to the desireddestinations, (3) bridging remote managed networks that are separated byone or more networks, and (4) bridging a managed network with anunmanaged network.

Some embodiments employ one level of non-leaf (non-edge) switches thatconnect to edge switches and in some cases to other non-leaf switches.Other embodiments, on the other hand, employ multiple levels of non-leafswitches, with each level of non-leaf switch after the first levelserving as a mechanism to facilitate communication between lower levelnon-leaf switches and leaf switches. In some embodiments, the non-leafswitches are software switches that are implemented by storing theswitching tables in the memory of a standalone computer instead of anoff-the-shelf switch. In some embodiments, the standalone computer mayalso be executing in some cases a hypervisor and one or more virtualmachines on top of that hypervisor. Irrespective of the manner by whichthe leaf and non-leaf switches are implemented, the NIB of the controlsystem of some embodiments stores switching state information regardingthe leaf and non-leaf switches.

The above discussion relates to the control of edge switches andnon-edge switches by a network control system of some embodiments. Insome embodiments, edge switches and non-edge switches (leaf and non-leafnodes) may be referred to as managed switches. This is because theseswitches are managed by the network control system (as opposed tounmanaged switches, which are not managed by the network control system,in the network) in order to implement logical data path sets through themanaged switches.

D. Secondary Storage Structure

In addition to using the NIB to store switching-element data, thevirtualized network-control system of some embodiments also stores otherstorage structures to store data regarding the switching elements of thenetwork. These other storage structures are secondary storage structuresthat supplement the storage functions of the NIB, which is the primarystorage structure of the system while the system operates. In someembodiments, the primary purpose for one or more of the secondarystorage structures is to back up the data in the NIB. In these or otherembodiments, one or more of the secondary storage structures serves apurpose other than backing up the data in the NIB (e.g., for storingdata that are not in the NIB).

In some embodiments, the NIB is stored in system memory (e.g., RAM)while the system operates. This allows for fast access of the NIBrecords. In some embodiments, one or more of the secondary storagestructures, on the other hand, are stored on disk or other non-volatilememories that are slower to access. Such non-volatile disk or otherstorages, however, improve the resiliency of the system as they allowthe data to be stored in a persistent manner.

FIG. 8 illustrates an example of a virtualized system 800 that employssecondary storage structures that supplement the NIB's storageoperations. This system is similar to the systems 400 and 500 of FIGS. 4and 5, except that it also includes secondary storage structures 805. Inthis example, these structures include a persistent transactionaldatabase (PTD) 810, a persistent non-transactional database (PNTD) 815,and a hash table 820. In some embodiments, these three types ofsecondary storage structures store different types of data, store datain different manners, and/or provide different query interfaces thathandle different types of queries.

In some embodiments, the PTD 810 is a database that is stored on disk orother non-volatile memory. In some embodiments, the PTD is a commonlyavailable database, such as MySQL or SQLite. The PTD of some embodimentscan handle complex transactional queries. As a transactional database,the PTD can undo a series of prior query operations that it hasperformed as part of a transaction when one of the subsequent queryoperations of the transaction fails. Moreover, some embodiments define atransactional guard processing (TGP) layer before the PTD in order toallow the PTD to execute conditional sets of database transactions. TheTGP layer allows the PTD to avoid unnecessary later database operationswhen conditions of earlier operations are not met.

The PTD in some embodiments stores an exact replica of the data that isstored in the NIB, while in other embodiments it stores only a subset ofthe data that is stored in the NIB. Some or all of the data in the NIBis stored in the PTD in order to ensure that the NIB data will not belost in the event of a crash of the NOS or the NIB.

The PNTD 815 is another persistent database that is stored on disk orother non-volatile memory. Some embodiments use this database to storedata (e.g., statistics, computations, etc.) regarding one or more switchelement attributes or operations. For instance, this database is used insome embodiments to store the number of packets routed through aparticular port of a particular switching element. Other examples oftypes of data stored in the database 815 include error messages, logfiles, warning messages, and billing data. Also, in some embodiments,the PNTD stores the results of operations performed by theapplication(s) 830 running on top of the NOS, while the PTD and hashtable store only values generated by the NOS.

The PNTD in some embodiments has a database query manager that canprocess database queries, but as it is not a transactional database,this query manager cannot handle complex conditional transactionalqueries. In some embodiments, accesses to the PNTD are faster thanaccesses to the PTD but slower than accesses to the hash table 820.

Unlike the databases 810 and 815, the hash table 820 is not a databasethat is stored on disk or other non-volatile memory. Instead, it is astorage structure that is stored in volatile system memory (e.g., RAM).It uses hashing techniques that use hashed indices to quickly identifyrecords that are stored in the table. This structure combined with thehash table's placement in the system memory allows this table to beaccessed very quickly. To facilitate this quick access, a simplifiedquery interface is used in some embodiments. For instance, in someembodiments, the hash table has just two queries: a Put query forwriting values to the table and a Get query for retrieving values fromthe table. Some embodiments use the hash table to store data thatchanges quickly. Examples of such quick-changing data include networkentity status, statistics, state, uptime, link arrangement, and packethandling information. Furthermore, in some embodiments, the NOS uses thehash tables as a cache to store information that is repeatedly queriedfor, such as flow entries that will be written to multiple nodes. Someembodiments employ a hash structure in the NIB in order to quicklyaccess records in the NIB. Accordingly, in some of these embodiments,the hash table 820 is part of the NIB data structure.

The PTD and the PNTD improve the resiliency of the NOS system bypreserving network data on hard disks. If a NOS system fails, networkconfiguration data will be preserved on disk in the PTD and log fileinformation will be preserved on disk in the PNTD.

E. Multi-Instance Control System

Using a single NOS instance to control a network can lead to scaling andreliability issues. As the number of network elements increases, theprocessing power and/or memory capacity that are required by thoseelements will saturate a single node. Some embodiments further improvethe resiliency of the control system by having multiple instances of theNOS running on one or more computers, with each instance of the NOScontaining one or more of the secondary storage structures describedabove. The control applications in some embodiments partition theworkload between the different instances in order to reduce eachinstance's workload. Also, in some embodiments, the multiple instancesof the NOS communicate the information stored in their storage layers toenable each instance of the NOS to cover for the others in the event ofa NOS instance failing.

FIG. 9 illustrates a multi-instance, distributed network control system900 of some embodiments. This distributed system controls multipleswitching elements 990 with three instances 905, 910, and 915. In someembodiments, the distributed system 900 allows different controllerinstances to control the operations of the same switch or differentswitches.

As shown in FIG. 9, each instance includes a NOS 925, a virtualizationapplication 930, one or more control applications 935, and acoordination manager (CM) 920. For the embodiments illustrated in thisfigure, each NOS in the system 900 is shown to include a NIB 940 andthree secondary storage structures, i.e., a PTD 945, a distributed hashtable (DHT) instance 950, and a persistent non-transaction database(PNTD) 955. Other embodiments may not tightly couple the NIB and/or eachof the secondary storage structures within the NOS. Also, otherembodiments might not include each of the three secondary storagestructures (i.e., the PTD, DHT instance, and PNTD) in each instance 905,910, or 915. For example, one NOS instance 905 may have all three datastructures whereas another NOS instance may only have the DHT instance.

In some embodiments, the system 900 maintains the same switch elementdata records in the NIB of each instance, while in other embodiments,the system 900 allows NIBs of different instances to store differentsets of switch element data records. FIGS. 10-12 illustrate threedifferent approaches that different embodiments employ to maintain theNIB records. In each of these three examples, two instances 1005 and1010 are used to manage several switching elements having numerousattributes that are stored collectively in the NIB instances. Thiscollection of the switch element data in the NIB instances is referredto as the global NIB data structure 1015 in FIGS. 10-12.

FIG. 10 illustrates the approach of maintaining the entire global NIBdata structure 1015 in each NOS instance 1005 and 1010. FIG. 11illustrates an alternative approach of dividing the global NIB 1015 intotwo separate portions 1020 and 1025, and storing each of these portionsin a different NOS instance (e.g., storing portion 1020 in controllerinstance 1005 while storing portion 1025 in controller instance 1010).FIG. 12 illustrates yet another alternative approach. In this example,the global NIB 1015 is divided into two separate, but overlappingportions 1030 and 1035, which are then stored separately by the twodifferent instances (e.g., storing portion 1030 in controller instance1005 while storing portion 1035 in controller instance 1010). In thesystems of some embodiments that store different portions of the NIB indifferent instances, one controller instance is allowed to query anothercontroller instance to obtain a NIB record. Other systems of suchembodiments, however, do not allow one controller instance to queryanother controller instance for a portion of the NIB data that is notmaintained by the controller itself. Still others allow such queries tobe made, but allow restrictions to be specified that would restrictaccess to some or all portions of the NIB.

The system 900 of some embodiments also replicates each NIB record ineach instance in the PTD 945 of that instance in order to maintain therecords of the NIB in a persistent manner. Also, in some embodiments,the system 900 replicates each NIB record in the PTDs of all thecontroller instances 905, 910, or 915, in order to protect againstfailures of individual controller instances (e.g., of an entirecontroller instance or a portion of the controller instance). Otherembodiments, however, do not replicate each NIB record in each PTDand/or do not replicate the PTD records across all the PTDs. Forinstance, some embodiments replicate only a part but not all of the NIBdata records of one controller instance in the PTD storage layer of thatcontroller instance, and then replicate only this replicated portion ofthe NIB in all of the NIBs and PTDs of all other controller instances.Some embodiments also store a subset of the NIB records in another oneof the secondary storage records, such as the DHT instance 950.

In some embodiments, the DHT instances (DHTI) 950 of all controllerinstances collectively store one set of records that are indexed basedon hashed indices for quick access. These records are distributed acrossthe different controller instances to minimize the size of the recordswithin each instance and to allow the size of the DHT to be increased byadding additional DHT instances. According to this scheme, one DHTrecord is not stored in each controller instance. In fact, in someembodiments, each DHT record is stored in at most one controllerinstance. To improve the system's resiliency, some embodiments, however,allow one DHT record to be stored in more than one controller instance,so that in case one DHT record is no longer accessible because of oneinstance failure, that DHT record can be accessed from another instance.Some embodiments store in the DHT only the type of data that can bequickly re-generated, and therefore do not allow for replication ofrecords across different DHT instances or allow only a small amount ofsuch records to be replicated.

The PNTD 955 is another distributed data structure of the system 900 ofsome embodiments. For example, in some embodiments, each instance's PNTDstores the records generated by the NOS 925 or applications 930 or 935of that instance or another instance. Each instance's PNTD records canbe locally accessed or remotely accessed by other controller instanceswhenever the controller instances need these records. This distributednature of the PNTD allows the PNTD to be scalable as additionalcontroller instances are added to the control system 900. In otherwords, addition of other controller instances increases the overall sizeof the PNTD storage layer.

The PNTD in some embodiments is replicated partially across differentinstances. In other embodiments, the PNTD is replicated fully acrossdifferent instances. Also, in some embodiments, the PNTD 955 within eachinstance is accessible only by the application(s) that run on top of theNOS of that instance. In other embodiments, the NOS can also access(e.g., read and/or write) the PNTD 955. In yet other embodiments, thePNTD 955 of one instance is only accessible by the NOS of that instance.

By allowing different NOS instances to store the same or overlapping NIBrecords, and/or secondary storage structure records, the system improvesits overall resiliency by guarding against the loss of data due to thefailure of any NOS or secondary storage structure instance. In someembodiments, each of the three storages of the secondary storage layeruses a different distribution technique to improve the resiliency of amultiple NOS instance system. For instance, as mentioned above, thesystem 900 of some embodiments replicates the PTD across NOS instancesso that every NOS has a full copy of the PTD to enable a failed NOSinstance to quickly reload its PTD from another instance. In someembodiments, the system 900 distributes the PNTD with overlappingdistributions of data across the NOS instances to reduce the damage of afailure. The system 900 in some embodiments also distributes the DHTfully or with minimal overlap across multiple controller instances inorder to maintain the DHT instance within each instance small and toallow the size of the DHT to be increased by adding additional DHTinstances.

For some or all of the communications between the distributed instances,the system 900 uses the CMs 920. The CM 920 in each instance allows theinstance to coordinate certain activities with the other instances.Different embodiments use the CM to coordinate the different sets ofactivities between the instances. Examples of such activities includewriting to the NIB, writing to the PTD, writing to the DHT, controllingthe switching elements, facilitating intra-controller communicationrelated to fault tolerance of controller instances, etc. Several moredetailed examples of the operations of the CMs in some embodiments arefurther described below in Section III.B.

As mentioned above, different controller instances of the system 900 cancontrol the operations of the same switching elements or differentswitching elements. By distributing the control of these operations overseveral instances, the system can more easily scale up to handleadditional switching elements. Specifically, the system can distributethe management of different switching elements and/or different portionsof the NIB to different NOS instances in order to enjoy the benefit ofprocessing efficiencies that can be realized by using multiple NOSinstances. In such a distributed system, each NOS instance can have areduced number of switches or a reduce portion of the NIB undermanagement, thereby reducing the number of computations each controllerneeds to perform to distribute flow entries across the switches and/orto manage the NIB. In other embodiments, the use of multiple NOSinstances enables the creation of a scale-out network management system.The computation of how best to distribute network flow tables in largenetworks is a CPU intensive task. By splitting the processing over NOSinstances, the system 900 can use a set of more numerous but lesspowerful computer systems to create a scale-out network managementsystem capable of handling large networks.

As noted above, some embodiments use multiple NOS instance in order toscale a network control system. Different embodiments may utilizedifferent methods to improve the scalability of a network controlsystem. Three example of such methods include (1) partitioning, (2)aggregation, and (3) consistency and durability. For a first method, thenetwork control system of some embodiments configures the NOS instancesso that a particular controller instance maintains only a subset of theNIB in memory and up-to-date. Further, in some of these embodiments, aparticular NOS instance has connections to only a subset of the networkelements, and subsequently, can have less network events to process.

A second method for improving scalability of a network control system isreferred to as aggregation. In some embodiments, aggregation involvesthe controller instances grouping NOS instances together into sets. Allthe NOS instances within a set have complete access to the NIB entitiesrepresenting network entities connected to those NOS instances. The setof NOS instances then exports aggregated information about its subset ofthe NIB to other NOS instances (which are not included in the set of NOSinstances)

Consistency and durability is a third method for improving scalabilityof a network control system. For this method, the controller instancesof some embodiments are able to dictate the consistency requirements forthe network state that they manage. In some embodiments, distributedlocking and consistency algorithms are implemented for network statethat requires strong consistency, and conflict detection and resolutionalgorithms are implemented for network state that does not requirestrong consistency (e.g., network state that is not guaranteed to beconsistent). As mentioned above, the NOS of some embodiments providestwo data stores that an application can use for network state withdiffering preferences for durability and consistency. The NOS of someembodiments provides a replicated transactional database for networkstate that favors durability and strong consistency, and provides amemory-based one-hop DHT for volatile network state that can sustaininconsistencies.

In some embodiments, the above methods for improving scalability can beused alone or in combination. They can also be used to manage networkstoo large to be controlled by a single NOS instance. These methods aredescribed in further detail in U.S. patent application No. 13/177,538,now published as U.S. Patent Publication 2013/0060929, entitled “ADistributed Control Platform for Large-scale Production Networks,” filedconcurrently with the present Application.

To distribute the workload and to avoid conflicting operations fromdifferent controller instances, the system 900 of some embodimentsdesignates one controller instance (e.g., 905) within the system 900 asthe master of any particular NIB portion and/or any given switchingelement (e.g., 990). Even with one master controller, differentcontroller instance (e.g., 910 and 915) can request changes to differentNIB portions and/or to different switching elements (e.g., 990)controlled by the master (e.g., 905). If allowed, the master instancethen effectuates this change and writes to the desired NIB portionand/or switching element. Otherwise, the master rejects the request.More detailed examples of processing such requests are described below.

FIG. 13 illustrates an example of specifying a master controllerinstance for a switch in a distributed system 1300 that is similar tothe system 900 of FIG. 9. In this example, two controllers 1305 and 1310control three switching elements S1, S2 and S3, for two different usersA and B. Through two control applications 1315 and 1320, the two usersspecify two different sets of logical data paths 1325 and 1330, whichare translated into numerous records that are identically stored in twoNIBs 1355 and 1360 of the two controller instances 1305 and 1310 by NOSinstances 1345 and 1350 of the controllers.

In the example illustrated in FIG. 13, both control applications 1315and 1320 of both controllers 1305 and 1310 can modify records of theswitching element S2 for both users A and B, but only controller 1305 isthe master of this switching element. This example illustrates twocases. The first case involves the controller 1305 updating the recordS2 b 1 in switching element S2 for the user B. The second case involvesthe controller 1305 updating the records S2 a 1 in switching element S2after the control application 1320 updates a NIB record S2 a 1 forswitching element S2 and user A in NIB 1360. In the example illustratedin FIG. 13, this update is routed from NIB 1360 of the controller 1310to the NIB 1355 of the controller 1305, and then subsequently routed toswitching element S2.

Different embodiments use different techniques to propagate changes fromthe NIB 1360 of controller instance 1310 to NIB 1355 of the controllerinstance 1305. For instance, to propagate changes, the system 1300 insome embodiments uses the secondary storage structures (not shown) ofthe controller instances 1305 and 1310. More generally, the distributedcontrol system of some embodiments uses the secondary storage structuresas communication channels between the different controller instances.Because of the differing properties of the secondary storage structures,these structures provide the controller instances with differentmechanisms for communicating with each other. For instance, in someembodiments, different DHT instances can be different, and each DHTinstance is used as a bulletin board for one or more instances to storedata so that they or other instances can retrieve this data later. Insome of these embodiments, the PTDs are replicated across all instances,and some or all of the NIB changes are pushed from one controllerinstance to another through the PTD storage layer. Accordingly, in theexample illustrated in FIG. 13, the change to the NIB 1360 could bereplicated to the PTD of the controller 1310, and from there it could bereplicated in the PTD of the controller 1305 and the NIB 1355. Severalexamples of such DHT and PTD operations will be described below.

Instead of propagating the NIB changes through the secondary storages,the system 1300 uses other techniques to change the record S2 a 1 in theswitch S2 in response to the request from control application 1320. Forinstance, to propagate this update, the NOS 1350 of the controller 1310in some embodiments sends an update command to the NOS 1345 of thecontroller 1305 (with the requisite NIB update parameters that identifythe record and one or more new values for the record) to direct the NOS1345 to modify the record in the NIB 1355 or in the switch S2. Inresponse, the NOS 1345 would make the changes to the NIB 1355 and theswitch S2 (if such a change is allowed). After this change, thecontroller instance 1310 would change the corresponding record in itsNIB 1360 once it receives notification (from controller 1305 or fromanother notification mechanism) that the record in the NIB 1355 and/orswitch S2 has changed.

Other variations to the sequence of operations shown in FIG. 13 couldexist because some embodiments designate one controller instance as amaster of a portion of the NIB, in addition to designating a controllerinstance as a master of a switching element. In some embodiments,different controller instances can be masters of a switch and acorresponding record for that switch in the NIB, while other embodimentsrequire the controller instance to be master of the switch and allrecords for that switch in the NIB.

In the embodiments where the system 1300 allows for the designation ofmasters for switching elements and NIB records, the example illustratedin FIG. 13 illustrates a case where the controller instance 1310 is themaster of the NIB record S2 a 1, while the controller instance 1305 isthe master for the switch S2. If a controller instance other than thecontroller instance 1305 and 1310 was the master of the NIB record S2 a1, then the request for the NIB record modification from the controlapplication 1320 would have to be propagated to this other controllerinstance. This other controller instance would then modify the NIBrecord and this modification would then cause the NIB 1355, the NIB 1360and the switch S2 to update their records once the controller instances1305 and 1310 are notified of this modification through any number ofmechanisms that would propagate this modification to the controllerinstances 1305 and 1310.

In other embodiments, the controller instance 1305 might be the masterof the NIB record S2 a 1, or the controller instance 1305 is the masterof switch S2 and all the records for this NIB. In these embodiments, therequest for the NIB record modification from the control application1320 would have to be propagated the controller instance 1305, whichwould then modify the records in the NIB 1355 and the switch S2. Oncethis modification is made, the NIB 1360 would modify its record S2 a 1once the controller instance 1310 is notified of this modificationthrough any number of mechanisms that would propagate this modificationto the controller instance 1310.

As mentioned above, different embodiments employ different techniques tofacilitate communication between different controller instances. Inaddition, different embodiments implement the controller instancesdifferently. For instance, in some embodiments, the stack of the controlapplication(s) (e.g., 935 or 1315 in FIGS. 9 and 13), the virtualizationapplication (e.g., 930 or 1335), and the NOS (e.g., 925 or 1345) areinstalled and run on a single computer. Also, in some embodiments,multiple controller instances can be installed and run in parallel on asingle computer. In some embodiments, a controller instance can alsohave its stack of components divided amongst several computers. Forexample, within one instance, the control application (e.g., 935 or1315) can be on a first physical or virtual computer, the virtualizationapplication (e.g., 930 or 1335) can be on a second physical or virtualcomputer, and the NOS (e.g., 925 or 1345) can be on a third physical orvirtual computer.

II. NIB

FIG. 14 presents a conceptual illustration of a NIB storage structure ofsome embodiments of the invention. The control systems of someembodiments use a NIB 1400 in each controller instance to store networkconfiguration data. The NIB 1400 stores the physical networkconfiguration state (e.g. physical control plane data), and in someembodiments, the logical network configuration state (e.g., logicalcontrol plane data and logical forwarding plane data). The NIB 1400stores this information in a hierarchical graph that corresponds to thenetwork topology of the network under NOS management. NOS instancesupdate the NIB data structure to reflect changes in the network underNOS management. In some embodiments, the NIB 1400 presents an API tohigher-level applications or users that enables higher levelapplications or users to change NIB data. The NOS instance propagateschanges to the NIB data structure made through the API to the networkelements represented in the NIB 1400. The NIB serves as the heart of theNOS by reflecting current network state and allowing software-levelcontrol of that network state.

FIG. 14 conceptually illustrates an example NIB 1400 as a hierarchicaltree structure. The NIB 1400 stores network data in object-orientedentity classes. The NIB 1400 illustration contains several circularobjects and lines. The circular objects, such as Chassis 1440, represententity objects stored in the NIB. The lines connecting the entityobjects represent one object containing a pointer to another, signalingmembership. The NIB entity objects shown in FIG. 14 comprise a chassisobject 1440, two forwarding engine objects 1410 and 1460, fiveforwarding table objects 1465, 1470, 1445, 1450, and 1455, two portobjects 1420 and 1430, a link object 1425, a queue collection object1415, two queue objects 1475 and 1480, and a host object 1435. Theentity objects are objects of network entity classes that correspond tophysical network element types to be managed by network controllerinstances. The entity classes contain a plurality of attributes thatstore network data. In some embodiments, the attributes are network datasuch as status, addresses, statistics, and link state. The networkentity classes will be described in more detail in conjunction withFIGS. 17, 18, and 19.

The NIB 1400 performs functions that compose the heart of the NOS forseveral reasons. First, the NIB functions as a data storage structurefor storing network configuration state information. In someembodiments, the NIB contains only physical network configuration stateinformation while in other embodiments the NIB contains logical networkconfiguration state information as well.

Second, in some embodiments, the NIB functions as a communication mediumbetween NOS instances. The NOS instances replicate the NIB to somedegree, with different embodiments of the invention replicating the NIBto varying degrees. This degree of replication allows the NIB to serveas a communication medium between NOS instances. For example, changes tothe forwarding engine object 1460 and the forwarding table objects 1465and 1470 may be replicated amongst all NOS instances, thereby sharingthat information between NOS instances.

Third, in some embodiments, the NIB functions as an interface to allowhigher-level applications to configure the underlying network. The NOSpropagates changes made to the NIB to the underlying network, thusallowing higher-level applications to control underlying network stateusing the NIB. For example, if a higher-level application changes theconfiguration of forwarding engine 1410, then the NOS instance withauthority over the physical switch corresponding to forwarding engine1410 will propagate any changes made to forwarding engine 1410 down tothe physical switch represented by forwarding engine 1410.

Fourth, in some embodiments, the NIB functions as a view of the networktopology that the NOS can present to higher-level applications, and insome embodiments, application users. The conceptualization of NIB 1400shown in FIG. 14 can be presented as a view of the network tohigher-level applications in some embodiments. For example, a first hopswitch with a port that is linked to a port on a host can be representedin a NIB by the forwarding engine object 1410, the port object 1420, thelink object 1425, the port object 1430, and the host object 1435.

For sake of simplicity, FIG. 14 presents the NIB 1400 as a singlehierarchical tree structure. However, in some embodiments, the NIB 1400has a more complicated structure than that. For instance, the NIB insome embodiments is a multi-layer hierarchical data structure, with eachlayer having a hierarchical structure and one or more elements (e.g.,nodes) on each layer linked to one or more elements (e.g., nodes) onanother layer. In some embodiments, the lowest layer elements correspondto the actual switching elements and their attributes, while each of thehigher layer elements serve as abstractions of the actual switchingelements and their attributes. As further described below, some of thesehigher layer elements are used in some embodiments to show differentabstract switching elements and/or switching element attributes todifferent users in a virtualized control system. In other words, the NOSof some embodiments generates the multi-layer, hierarchical NIB datastructure, and the NOS or an application that runs on top of the NOSshows different users different views of different parts of thehierarchical levels and/or layers, in order to provide the differentusers with virtualized access to the shared switching elements andnetwork.

The operation of the NIB 1400 will now be discussed in conjunction withFIGS. 15 and 16. FIG. 15 illustrates a portion of a physical network1500 that the NIB 1400 represents. The physical network 1500 comprisesswitch123 1510 that has port1 1520 connected to link479 1530 thatconnects to port3 1540 on host456 1550. The network elements of thenetwork 1500 correspond to NIB objects in NIB 1400. Switch123 1510corresponds to the forwarding engine 1410 in NIB 1400. Port1 1520corresponds to the Port 1420 in NIB 1400. Link479 1530 corresponds tothe Link 1425 in NIB 1400. Port3 1540 corresponds to the Port 1430 inNIB 1400. Host456 1550 corresponds to the host 1435 in NIB 1400. In thismanner, the NIB 1400 can serve as a topology of the physical network1500.

FIG. 16 illustrates a simplified example of the attribute data that theentity objects of the NIB 1400 can contain in some embodiments of theinvention. The objects shown in FIG. 16 correspond to the physicalelements illustrated in FIG. 15 and some of the entity objects of FIG.14. FIG. 16 shows a forwarding engine 1610, a port 1620, a link 1630, aport 1640, and a host 1650. The NIB objects of FIG. 16 store informationas key and value pairs where the keys are types of attributes and thevalues are network entity data. For example, forwarding engine 1610contains the key “ID” that has the value “switch123” to identify thename of the forwarding engine. In this case, forwarding engine 1610corresponds to switch123 1510. Some of the objects can contain pointersto other objects, as shown by the key “ports” and value “port1” offorwarding engine 1610. The value “port1” of forwarding engine 1610corresponds to port1 1520 of the physical network 1500 and port 1420 ofthe NIB 1400. The port class may have more attributes, as will be shownin FIG. 18. In this simplified example, the forwarding engine 1610 hasonly 1 port; however, a forwarding engine may have many more ports.

FIG. 17 conceptually illustrates some of the relationships of some ofthe NIB entity classes of some embodiments. FIG. 17 illustrates thenumerical relationships between several NIB entity classes for someembodiments of the invention. As shown in FIG. 17 by the dashed lines,one node 1710 may have N (where N is equal to or greater than 1) numberof ports 1720. Two or more ports 1720 may share one link 1750.

FIG. 17 also illustrates how entity classes can inherit from otherentity classes. As shown in FIG. 17 by the solid lined arrows, the host1770, forwarding engine 1730, and network 1760 classes inherit from thenode 1710 class. Classes that inherit from another class contain theattributes of the parent class, and may contain additional attributes insome embodiments.

FIG. 18 illustrates a set of NIB entity classes and some of theattributes associated with those NIB entity classes for some embodimentsof the invention. FIG. 19 illustrates a second portion of the same setof NIB entity classes as FIG. 18. Together, the entity classes describedin FIG. 18 and FIG. 19 enable a NOS instance to store a network'sphysical and logical configuration state in a NIB storage structure.FIG. 18 shows the node 1810, port 1820, link 1830, queue-collection1840, and queue 1850 classes. The solid arrows between classes show thatone class contains pointers to another class as an attribute. FIG. 19shows the chassis 1910, forwarding engine 1920, forwarding table 1930,network 1940, host 1950, and user 1960 classes.

The attributes shown in FIGS. 18 and 19 are not the only attributessupportable by the invention. NOS users and NOS developers may extendthis base set of network classes to support additional types of networkelements. The NIB entity classes of some embodiments support inheritanceand can be extended into new classes. For example, a virtual interfaceclass representing a port between a hypervisor and a virtual machine canbe inherited from the port class.

The node class 1810 represents a point on the network that network datacan move between. Examples are physical or virtual switches and hosts.As described in FIG. 17, the forwarding engine 1920 (i.e., 1730),network 1940 (i.e., 1760), and host 1950 (i.e., 1770) classes areinherited from the node 1810 (i.e., 1710) class. Nodes can contain portsthrough which network data can enter and exit the node. Nodes also haveaddresses to represent their location on the network. While no nodeclass is shown in NIB 1400, the host 1435 is inherited from the nodeclass and can have a pointer to a port 1430 even though no ports areshown on the host class 1950 in FIG. 19.

The port class 1820 is the NIB analog to a port on a node. Ports arebound to nodes 1810. Ports have many statistics that are not shown inFIG. 18. The port statistics include the number of transmitted packetsand bytes, the number of received packets and bytes, and the number andtype of transmit errors. Ports may have one attached outgoing link andone attached incoming link acting as a start and an end port,respectively. Ports may be bound to queue-collections to enable qualityof service functionality. As shown in NIB 1400, port 1430 has link 1425attached and is a port of host 1435.

The link class 1830 is the NIB analog to links between ports. Networkdata moves across links. Links have statistics describing their speed,weight, and usage. A link may have one start port and one end port.Typically, a port's incoming and outgoing link are bound to the samelink object, to enable a link to serve as a bi-directional communicationpoint. This is shown by the a solid arrow going from the attached linkof port class 1820 to the link class 1830.

The queue-collection class 1840 is the NIB analog to the set of 8 queuesassociated with the egress ports of industry standard top of rackswitches. Queue-collections are groups of queues that can have portsbound to them. The queue-collection class enables network administratorsto select one queue-collection to manage many ports, thereby placing aconsistent quality of service policy across many ports. The queue class1850 is the NIB analog to the queues attached to egress ports thatschedule packets for processing. The queue class contains statistics andinformation regarding which queue-collection the queue is bound to.Additionally, the queue class has an attribute to describe the identityof the queues above and below the queue.

FIG. 19 illustrates another portion of the set of NIB entity classesdescribed in FIG. 18. In addition, FIG. 19 illustrates the attributesassociated with those NIB entity classes for some embodiments of theinvention. FIG. 19 illustrates the following NIB entity classes: thechassis class 1910, the forwarding engine class 1920, the forwardingtable class 1930, the network class 1940, the host class 1950, and theuser class 1960. The solid arrows between classes show that one classcontains pointers to another class as an attribute.

The chassis class 1910 is the NIB analog to a physical rack of switches.The chassis class contains a plurality of forwarding engines andaddresses the chassis manages. The NIB 1400 has a chassis 1440 withpointers to forwarding engines 1460 and 1410. The forwarding engineclass 1920 is the NIB analog to a network switch. The forwarding enginecontains a set of forwarding tables that can define the forwardingbehavior of a switch on the network. The NIB 1400 has a forwardingengine 1460 with two pointers to two forwarding tables 1465 and 1470.The forwarding engine also contains the datapath ID that a controlleruses to communicate with the forwarding engine.

The forwarding table class 1930 is the NIB analog of the forwardingtables within switches that contain rules governing how packets will beforwarded. The forwarding table class 1930 contains flow entries to bepropagated by NOS instances to the forwarding tables of networkswitches. The flow entries contained in the forwarding table class arethe basic unit of network management. A flow entry contains a rule fordeciding what to do with a unit of network information when that unitarrives in a node on the network. The forwarding table class furthersupports search functions to find matching flow entries on a forwardingtable object.

The host class 1950 is the NIB analog to the physical computers of thenetwork. Typical hosts often have many virtual machines contained withinthem. A host's virtual machines may belong to different users. The hostclass 1950 supports a list of users. The user class 1960 is the NIBanalog to the owner of virtual machines on a host. The network class1940 serves as a black box of network elements that behave in a similarfashion to a node. Packets enter a network and exit a network, but theNOS instances are not concerned with the internal workings of a networkclass object.

FIG. 20 shows a set of common NIB class functions 2000 for someembodiments of the invention. Applications, NOS instances, transfermodules, or in some embodiments, users can control the NIB through thesecommon entity class functions. The common functions include: query,create, destroy, access attributes, register for notifications,synchronize, configure, and pull entity into the NIB. Below is a list ofpotential uses of these common functions by various actors. Differentembodiments of the invention could have different actors using thecommon NIB functions on different NIB entity classes.

An application can query a NIB object to learn its status. A NOSinstance can create a NIB entity to reflect a new element being added tothe physical network. A user can destroy a logical datapath in someembodiments. A NOS instance can access the attributes of another NOSinstance's NIB entities. A transfer module may register for notificationfor changes to the data of a NIB entity object. A NOS instance can issuea synchronize command to synchronize NIB entity object data with datagathered from the physical network. An application can issue a “pullentity into the NIB” command to compel a NOS instance to add a newentity object to the NIB.

III. Multi-Instance Architecture

FIG. 21 illustrates a particular distributed network control system 2100of some embodiments of the invention. In several manners, this controlsystem 2100 is similar to the control system 900 of FIG. 9. Forinstance, it uses several different controller instances to control theoperations of the same switching elements or different switchingelements. In the example illustrated in FIG. 21, three instances 2105,2110 and 2115 are illustrated. However, one of ordinary skill in the artwill understand that the control system 2100 can have any number ofcontroller instances.

Also, like the control system 900, each controller instance includes aNOS 2125, a virtualization application 2130, one or more controlapplications 2135, and a coordination manager (CM) 2120. Each NOS in thesystem 2100 includes a NIB 2140 and at least two secondary storagestructures, e.g., a distributed hash table (DHT) 2150 and a PNTD 2155.

However, as illustrated in FIG. 21, the control system 2100 has severaladditional and/or different features than the control system 900. Thesefeatures include a NIB notification module 2170, NIB transfer modules2175, a CM interface 2160, PTD triggers 2180, DHT triggers 2185, andmaster/slave PTDs 2145/2147.

In some embodiments, the notification module 2170 in each controllerinstance allows applications (e.g., a control application) that run ontop of the NOS to register for callbacks when changes occur within theNIB. This module in some embodiments has two components, which include anotification processor and a notification registry. The notificationregistry stores the list of applications that need to be notified foreach NIB record that the module 2170 tracks, while the notificationprocessor reviews the registry and processes the notifications upondetecting a change in a NIB record that it tracks. The notificationmodule as well as its notification registry and notification processorare a conceptual representation of the NIB-application layernotification components of some embodiments, as the system of theseembodiments provides a separate notification function and registrywithin each NIB object that can be tracked by the application layer.

The transfer modules 2175 include one or more modules that allow data tobe exchanged between the NIB 2140 on one hand, and the PTD or DHTstorage layers in each controller instance on the other hand. In someembodiments, the transfer modules 2175 include an import module forimporting changes from the PTD/DHT storage layers into the NIB, and anexport module for exporting changes in the NIB to the PTD/DHT storagelayers. The use of these modules to propagate data between the NIB andPTD/DHT storage layers will be further described below.

Unlike the control system 900 that has the same type of PTD in eachinstance, the control system 2100 only has PTDs in some of the NOSinstances, and of these PTDs, one of them serves as master PTD 2145,while the rest serve as slave PTDs 2147. In some embodiments, NIBchanges within a controller instance that has a slave PTD are firstpropagated to the master PTD 2145, which then directs the controllerinstance's slave PTD to record the NIB changes. The master PTD 2145similarly receives NIB changes from controller instances that do nothave either master or slave PTDs. The use of the master PTDs inprocessing NIB changes will be further described below.

In the control system 2100, the coordination manager 2120 includes theCM interface 2160 to facilitate communication between the NIB storagelayer and the PTD storage layer. The CM interface also maintains the PTDtrigger list 2180, which identifies the modules of the system 2100 tocall back whenever the CM interface 2160 is notified of a PTD recordchange. A similar trigger list 2185 for handling DHT callbacks ismaintained by the DHT instance 2150. The CM 2120 also has a DHT rangeidentifier (not shown) that allows the DHT instances of differentcontroller instances to store different DHT records in different DHTinstances. The operations that are performed through the CM, the CMinterface, the PTD trigger list, and the DHT trigger list will befurther described below.

Also, in the control system 2100, the PNTD is not placed underneath theNIB storage layer. This placement is to signify that the PNTD in thecontrol system 2100 does not exchange data directly with the NIB storagelayer, but rather is accessible solely by the application(s) (e.g., thecontrol application) running on top of the NOS 2125 as well as otherapplications of other controller instances. This placement is incontrast to the placement of the PTD storage layer 2145/2147 and DHTstorage layers 2150, which are shown to be underneath the NIB storagelayer because the PTD and DHT are not directly accessible by theapplication(s) running on top of the NOS 2125. Rather, in the controlsystem 2100, data are exchanged between the NIB storage layer and thePTD/DHT storage layers of the same or different instances.

The control system 2100 uses the PTD, DHT and PNTD storage layers tofacilitate communication between the different controller instances. Insome embodiments, each of the three storages of the secondary storagelayer uses a different storage and distribution technique to improve theresiliency of the distributed, multi-instance system 2100. For instance,as further described below, the system 2100 of some embodimentsreplicates the PTD across NOS instances so that every NOS has a fullcopy of the PTD to enable a failed NOS instance to quickly reload itsPTD from another instance. On the other hand, the system 2100 in someembodiments distributes the PNTD with partial overlapping distributionsof data across the NOS instances to reduce the damage of a failure.Similarly, the system 2100 in some embodiments distributes the DHT fullyor with minimal overlap across multiple controller instances in order tominimize the size of the DHT instance (e.g., the amount of memory theDHT instance utilizes) within each instance. Also, using this approachallows the system to increase the size of the DHT by adding additionalDHT instances in order to make the system more scalable.

One of the advantages of this system is that it can be configured in anynumber of ways. In some embodiments, this system provides greatflexibility to specify the configurations for the components of thesystem in order to customize its storage and data distribution scheme toachieve the best tradeoff of scalability and speed on one hand, andreliability and consistency on the other hand. Attributes of the storagestructures that affect scalability, speed, reliability and consistencyconsiderations include the speed of the storage (e.g., RAM versus diskaccess speed), the reliability of the storage (e.g., persistentnon-volatile storage of disk versus volatile storage of RAM), the queryinterface of the storage (e.g., simple Put/Get query interface of DHTversus more robust transactional database queries of PTD in someembodiments), and the number of points of failure in the system (e.g., asingle point of failure for a DHT record versus multiple points offailure for a PTD record in some embodiments).

Through the configurations of its components, the system can beconfigured to (1) distribute the data records between the NIB and thesecondary storage structures within one instance (e.g., which secondarystorage should store which NIB record), (2) distribute the data recordsbetween the NIBs of different instances (e.g., which NIB records shouldbe replicated across different controller instances), (3) distribute thedata records between the secondary storage structures within oneinstance (e.g., which secondary storage records contain which records),(4) distribute the data records between the secondary storage structuresof different instances (e.g., which secondary storage records arereplicated across different controller instances), (5) distributesecondary storage instances across controller instances (e.g., whetherto put a PTD, a DHT, or a Stats database instance within each controlleror whether to put different subsets of these storages within differentinstances), and (6) replicate data records in the distributed secondarystorage structures (e.g., whether to replicated PTD fully across allinstances, whether to replicate some or all DHT records across more thanone instance, etc.). The system also allows the coordination between thedifferent controller instances as to the master control over differentswitching elements or different portions of the NIB to be configureddifferently. In some embodiments, some or all of these configurationscan be specified by applications (e.g., a control application or avirtualization application) that run on top of the NOS.

In some embodiments, as noted above, the CMs facilitate intra-controllercommunication related to fault tolerance of controller instances. Forinstance, the CMs implement the intra-controller communication throughthe secondary storage layers described above. A controller instance inthe control system may fail due to any number of reasons (e.g., hardwarefailure, software failure, network failure, etc.). Different embodimentsmay use different techniques for determining whether a controllerinstance has failed. In some embodiments, Paxos protocol is used todetermine whether a controller instance in the control system hasfailed. While some of these embodiments may use Apache Zookeeper toimplement the Paxos protocol, other of these embodiments may implementPaxos protocol in other ways.

Some embodiments of the CM 2120 may utilize defined timeouts todetermine whether a controller instance has failed. For instance, if aCM of a controller instance does not respond to a communication (e.g.,sent from another CM of another controller instance in the controlsystem) within an amount of time (i.e., a defined timeout amount), thenon-responsive controller instance is determined to have failed. Othertechniques may be utilized to determine whether a controller instancehas failed in other embodiments.

When a controller instance fails, a new master for the logical data pathsets and the switching elements, of which the failed controller instancewas a master, needs to be determined. Some embodiments of the CM 2120make such determination by performing a master election process thatelects a master controller instance (e.g., for partitioning managementof logical data path sets and/or partitioning management of switchingelements). The CM 2120 of some embodiments may perform a master electionprocess for electing a new master controller instance for both thelogical data path sets and the switching elements of which the failedcontroller instance was a master. However, the CM 2120 of otherembodiments may perform (1) a master election process for electing a newmaster controller instance for the logical data path sets of which thefailed controller instance was a master and (2) another master electionprocess for electing a new master controller instance for the switchingelements of which the failed controller instance was a master. In thesecases, the CM 2120 may determine two different controller instances asnew controller instances: one for the logical data path sets of whichthe failed controller instance was a master and another for theswitching elements of which the failed controller instance was a master.

In some embodiments, the master election process is further forpartitioning management of logical data path sets and/or management ofswitching elements when a controller instance is added to the controlsystem. In particular, some embodiments of the CM 2120 perform themaster election process when the control system 2100 detects a change inmembership of the controller instances in the control system 2100. Forinstance, the CM 2120 may perform the master election process toredistribute a portion of the management of the logical data path setsand/or the management of the switching elements from the existingcontroller instances to the new controller instance when the controlsystem 2100 detects that a new network controller has been added to thecontrol system 2100. However, in other embodiments, redistribution of aportion of the management of the logical data path sets and/or themanagement of the switching elements from the existing controllerinstances to the new controller instance does not occur when the controlsystem 2100 detects that a new network controller has been added to thecontrol system 2100. Instead, the control system 2100 in theseembodiments assigns unassigned logical data path sets and/or switchingelements (e.g., new logical data path sets and/or switching elements orlogical data path sets and/or switching elements from a failed networkcontroller) to the new controller instance when the control system 2100detects the unassigned logical data path sets and/or switching elementshave been added.

The control system's use of the PTD, DHT and PNTD storage layers tofacilitate communication between the different controller instances willbe described further in sub-section III.A below. This discussion willthen be followed by a discussion of the operations of the CM 2120 insub-section III.B. Section IV then describes the architecture of asingle controller instance of the system 2100 in some embodiments.

A. Facilitating Communication in Distributed System

The distributed control system 2100 of some embodiments uses thesecondary storage structures as communication channels between thedifferent controller instances 2105, 2110, and 2115. The distributedcontrol system of some embodiments makes such a use of the secondarystorage structures because it provides a robust distributed logic, whereoften the rules for distributing a data record reside in the storagelayer adjacent to the data record. This scheme is also advantageous asit modularizes the design of the different components of the distributedsystem. It also simplifies the addition of new controller instances inthe system. It further allows some or all of the applications running ontop of the NOS (e.g., the control application(s) and/or thevirtualization application) within each instance to operate as anindependent logical silo from the other controller instances, as theapplication does not need to know how the system distributes controlover the switching elements.

Because of the differing properties of the secondary storage structures,the secondary storage structures provide the controller instances withdifferent mechanisms for communicating with each other. For instance,the control system 2100 uses the PTD storage layer to push data betweendifferent controller instances, while it uses the DHT storage layer toenable different controller instances to post data and pull data fromthe DHT storages.

Specifically, in some embodiments, different DHT instances can bedifferent, and each DHT instance is used as a bulletin board for one ormore instances to store data so that they or other instances canretrieve this data later. In some embodiments, the DHT is a one-hop,eventually-consistent, memory-only DHT. A one-hop DHT, in someembodiments, is configured in a full mesh such that each DHT instance isconnected to each other DHT instance. In this way, if a particular DHTinstance does not have piece of data, the particular DHT instance canretrieve the piece of data from another DHT instance that is “one-hop”away instead of having to traverse multiple DHT instances in order toretrieve the piece of data. However, the system 2100 in some embodimentsmaintains the same switch element data records in the NIB of eachinstance, and replicates some or all of the NIB records in the PTDs 2145and 2147 of the controller instances 2105 and 2110. By replicating thePTDs across all instances, the system 2100 pushes NIB changes from onecontroller instance to another through the PTD storage layer. Pushingthe NIB changes through the PTD storage layer involves the use of themaster PTD 2145.

While maintaining some of the NIB records in the PTD, the system 2100 insome embodiments maintains a portion of the NIB data in the DHT instance2150. The DHT instance in some embodiments is a distributed storagestructure that is stored in the volatile system memory with minimalreplications to enable greater scalability. As discussed above,applications can configure the distribution of NIB data records betweenthe PTD and the DHT. In some embodiments, the typical configurationdistributes fast changing information (e.g., link state, statistics,entity status) to the DHT and slow changing information (e.g., existencenode and port entities) to the PTD.

Performing NIB and PTD replication through the master PTD will bedescribed in sub-section III.A.1 below. Sub-section III.A.2 will thendescribe distributing data among the controller instances through theDHT storage layer. Sub-section III.A.3 then describes distributing dataamong controller instances through the PNTD storage layer.

1. PTD Replication

In some embodiments, the system 2100 maintains the same switch elementdata records in the NIB of each instance. In the NIBs, the system 2100stores physical network data and in some embodiments logical networkdata. The system 2100 of some embodiments stores some or all of therecords of each instance's NIB in that instance's PTD. For instance, insome embodiments, the system 2100 stores in the PTDs slow changingnetwork state data (e.g., network policy declarations, switching elementinventories, other physical network element inventories, etc.) thatneeds to be stored in a more durable manner but does not need to befrequently updated.

By replicating the PTDs across all instances, the system 2100 pushessome or all of the NIB changes from one controller instance to anotherthrough the PTD storage layer. FIG. 22 illustrates pushing a NIB changethrough the PTD storage layer. Specifically, it shows four data flowdiagrams, with (1) one diagram 2205 conceptually illustrating thepropagation of a NIB change from a first controller 2220 to a secondcontroller 2225 through the PTD storage layers of the two controllers,and (2) three diagrams 2210, 2215, and 2217 illustrating alternativeuses of a master PTD 2260 of a third controller 2230 in performing thispropagation. In this figure, the use of the CM 2120 and CM interface2160 is ignored to simplify the description of this figure. However, theuse of the CM 2120 and CM interface 2160 in performing the PTDreplication will be further described below.

The flow diagram 2205 conceptually illustrates the propagation of achange in a NIB 2235 of the first controller 2220 to a NIB 2245 of thesecond controller 2225, through the PTDs 2240 and 2250 of these twocontrollers 2220 and 2225. In this diagram as well as the other threediagrams, the NIBs 2235 and 2245 are shown above a dashed line 2255 andthe PTDs 2240 and 2250 are shown below the dashed line 2255 in order toconvey that the NIBs are part of a NIB storage layer across all of thecontroller instances, while the PTDs are part of a PTD storage layeracross all of the controller instances.

In the flow diagram 2205 as well as the other three diagrams, the flowof data between components is indicated by way of arrows and numbers,with each number indicating an order of an operation in the flow of databetween the layers. Accordingly, the flow diagram 2205 shows that thechange in the NIB 2235 is initially transferred to the PTD 2240 withinthe same controller instance 2220. This change is then pushed to the PTD2250 of the second controller instance 2225. From there, the change ispropagated to the NIB 2245 of the second controller instance 2225.

The flow diagram 2205 is illustrative of the sequence of operations thatare performed to propagate a NIB change through the PTD storage layer.However, for the control system 2100 of some embodiments, the flowdiagram 2205 simply illustrates the concept of propagating a NIB changethrough the PTD storage layer. It is not an illustration of the actualsequence of operations for propagating a NIB change in such a system,because the control system 2100 uses a master PTD 2145 as a single pointof replication to ensure consistency across the PTD layers 2240, 2260,and 2250.

While ignoring the operations of the CM and CM interface, the flowdiagram 2210 provides a more representative diagram of the sequence ofoperations for propagating a NIB change in the system 2100 for someembodiments of the invention. This diagram shows that in the system 2100of some embodiments, the first controller's PTD 2240 pushes a NIB changethat it receives from its NIB 2235 to a master PTD 2260, which mayreside in another controller instance 2230, as illustrated in diagram2210. The master PTD 2260 then directs each slave PTD 2240 and 2250 toupdate their records based on the received NIB change. In the embodimentillustrated in flow diagram 2210, the master PTD 2260 even notifies thePTD 2240 to update its records. In other words, the system of someembodiments does not make a NIB change in the PTD of the instance thatoriginated the NIB change, without the direction of the master PTD 2260.In some embodiments, instead of the master PTD sending the changed PTDrecord to each slave PTD, the master PTD notifies the slave instances ofthe PTD change, and then the slave instances query the master PTD topull the changed PTD record.

Once the slave PTDs 2240 and 2250 notify the master PTD 2260 that theyhave updated their records based on the NIB change, the master PTDdirects all the NIBs (including the NIB 2245 of the second controllerinstance 2225 as well as a NIB 2270 of the third controller instance2230) to modify their records in view of the NIB change that originatedfrom controller instance 2220. The master PTD 2260 in some embodimentseffectuates this modification through the CM interface and a NIB importmodule that interfaces with the CMI. This NIB import module is part ofthe NIB transfer module 2175 that also includes a NIB export module,which is the module used to propagate the NIB change from the NIB 2235to the PTD 2240. In some embodiments, the master PTD notifies the NIBimport module of the changed PTD record, and in response the NIB importmodule queries the master PTD for the changed record. In otherembodiments, the master PTD sends to the NIB import module the changedPTD record along with its notification regarding the change to itsrecord. The use of the CM interface, the NIB export module, and the NIBimport module to effectuate NIB-to-NIB replication will be furtherdescribed below.

The flow diagram 2215 presents an alternative data flow to the diagram2210 for the NIB-to-NIB replication operations that involve the masterPTD in some embodiments. The flow 2215 is identical to the flow 2210except that in the flow 2215, the master PTD is only responsible fornotifying its own NIB 2270 of the NIB change as it is not responsiblefor directing the NIB 2245 of the instance 2225 (or the NIB of any otherslave instance) to make the desired NIB change. The NIB change ispropagated in the diagram 2215 to the NIB 2245 through the PTD 2250 ofthe second instance. In different embodiments, the PTD 2250 usesdifferent techniques to cause the NIB 2245 to change a record. In someembodiments, the PTD 2250 notifies the import module of NIB 2245 of thechanged PTD record, and in response the NIB import module queries thePTD 2250 for the changed record. In other embodiments, the PTD 2250sends to the import module of the NIB 2245 the changed PTD record alongwith its notification regarding the change to its record.

The flow diagram 2217 presents yet another alternative data flow to thediagrams 2210 and 2215 for the NIB-to-NIB replication operations thatinvolve the master PTD in some embodiments. The flow 2217 is identicalto the flow 2210 except that in the flow 2217, the slave NIB 2235directly notifies the master PTD 2260 of the change to its NIB. In otherwords, the notification regarding the change in the NIB 2235 is notrelayed through slave PTD 2240. Instead, the export module of the slaveNIB 2235 directly notifies the master PTD 2260 (through the CM interface(not shown)). After being notified of this change, the master PTD 2260in the flow 2217 first notifies the slave PTDs 2240 and 2250, and thennotifies the slave NIB 2245 and its own NIB 2270, as in the flow diagram2210.

The control systems of other embodiments use still other alternativeflows to those illustrated in diagrams 2210, 2215 and 2217. Forinstance, another flow involves the same sequence of operations asillustrated in diagrams 2210 and 2215, except that the PTD 2240 of theinstance 2220 records the NIB change before the master PTD is notifiedof this change. In this approach, the master PTD would not have todirect the PTD 2240 to modify its records based on the received NIBchange. The master PTD would only have to notify the other slave PTDs ofthe change under this approach.

Other control systems of other embodiments use still other flows tothose illustrated in diagrams 2210, 2215, and 2217. For instance, insome systems that do not use master PTDs, the flow illustrated indiagram 2205 is used to replicate a NIB change across instances. Yetanother flow that such systems use in some embodiments would be similarto the flow illustrated in the diagram 2205, except that the PTD 2240would be the component that notifies the NIB 2245 of the NIB changeafter the PTD 2240 notifies the PTD 2250 of the NIB change.

2. DHT Access

In the control system 2100 of some embodiments, the DHT instances 2150of all controller instances collectively store one set of records thatare indexed based on hashed indices for quick access. These records aredistributed across the different controller instances to minimize thesize of the records within each instance and to allow for the size ofthe DHT to be increased by adding additional DHT instances. According tothis scheme, one DHT record is not stored in each controller instance.In fact, in some embodiments, each DHT record is stored in at most onecontroller instance. To improve the system's resiliency, someembodiments, however, allow one DHT record to be stored in more than onecontroller instance, so that in case one DHT record is no longeraccessible because of one instance failure, that DHT record can beaccessed from another instance. The system of some embodiments stores inthe DHT rapidly changing network state that is more transient in nature.This type of data often can be quickly re-generated. Accordingly, someof these embodiments do not allow for replication of records acrossdifferent DHT instances or only allow a small amount of such records tobe replicated. In some embodiments, rapidly changing NIB data is storedin the DHT to take advantage of the DHT's aforementioned properties.

Because the system of these embodiments does not replicate DHT recordsacross all DHT instances, it needs to have a mechanism for identifyingthe location (or the primary location in case of a DHT record that isstored within more than one DHT) of a DHT record. The CM 2120 providessuch a mechanism in some embodiments of the invention. Specifically, asfurther described below, the CM 2120 of some embodiments maintains ahash value range list that allows the DHT instances of differentcontroller instances to store different DHT records in different DHTinstances.

FIG. 23 illustrates an example of such a range list 2300 that ismaintained by the CM in some embodiments. In this example, three DHTinstances 2320, 2325, and 2330 operate within three controller instances2305, 2310, and 2315. Each DHT instance in this example includes 2¹⁶records. Each DHT record can store one or more values, although FIG. 23only shows one value being stored in each record. Also, each DHT recordis identifiable by a particular hash index. The hash indices in thisexample start from 0 and end with 2⁴⁸.

FIG. 23 further illustrates that the range list 2300 identifies therange of hash values associated with each controller instance (by theuniversal unique identifier (UUID) of that controller). In someembodiments, this list is generated and maintained by one or more CMs ofone or more controller instances. In each controller, the DHT instancethen accesses the CM of that instance to identify the appropriate DHTinstance for a particular DHT record. That instance's CM can maintainthe range list locally or might access another CM to obtain theidentification from the range list. Alternatively, in some embodiments,the range list is maintained by each DHT instance or by a non-CM modulewithin each controller instance.

FIG. 24 presents an example that conceptually illustrates theDHT-identification operation of the CM 2120 in some embodiments of theinvention. To illustrate this example, it shows two data flow diagrams,with (1) one diagram 2405 conceptually illustrating the use of a CM 2120by one DHT instance 2435 of a first controller 2415 to modify a recordin another DHT instance 2440 of a second controller 2420, and (2) theother diagram 2410 conceptually illustrating the use of the CM 2120 byanother DHT instance 2445 of a third controller 2425 to read themodified record in the DHT instance 2440 of the second controller 2420.In this figure, the use of the CM 2120 in generating, maintaining, andpropagating the DHT record range list is ignored to simplify thedescription of this figure. The use of the CM 2120 in performing theseoperations will be further described below.

In FIG. 24, the flow diagram 2405 conceptually illustrates thepropagation of a change in a NIB 2430 of the first controller 2415 tothe DHT instance 2440 of the second controller 2420, through the DHTinstance 2435 of first controller 2415. In this diagram as well as theother diagram 2410, the NIBs 2430 and 2450 are shown above a dashed line2465 and the DHT instances 2435, 2440, and 2445 are shown below thedashed line 2465 in order to convey that the NIBs are part of a NIBstorage layer across all of the controller instances, while the DHTinstances are part of a DHT storage layer across all of the controllerinstances. Also, in the flow diagram 2405 as well as the other diagram2410, the flow of data between components is indicated by way of arrowsand numbers, with each number indicating an order of operation in theflow of data between the layers.

The flow diagram 2405 shows that the change in the NIB 2430 is initiallytransferred to the DHT instance 2435 within the same controller instance2415. The DHT instance does not necessarily change the records that itkeeps because the DHT instance 2435 might not store a DHT record thatcorresponds to the changed NIB record for which it receives thenotification from NIB 2430. Hence, in response to the NIB changenotification that it receives, the DHT instance checks the hash valuerange list 2460 to identify the DHT instance that stores the DHT-layerrecord that corresponds to the modified NIB record. To identify this DHTinstance, the DHT instance 2435 uses a hash index for the DHT recordthat it needs to locate. In some embodiments, the DHT instance 2435generates this hash value when it receives the NIB change notificationfrom the NIB 2430.

Based on the hash index, the DHT instance 2435 obtains the identity ofDHT instance 2440 from the DHT range list 2460. The DHT instance 2435then directs the DHT instance 2440 to modify its DHT record to reflectthe received NIB change. In some embodiments, the DHT instance 2435directs the DHT instance 2440 to modify its records, by supplying theDHT instance 2440 with a Put command, which supplies the DHT instance2440 with a key, a hash value based on the key, and a value to storealong with the hash value. The DHT instance 2440 then modifies its DHTrecords based on the request that it receives from the DHT instance2435.

The flow diagram 2410 shows the NIB 2450 of the third controllerinstance 2425 pulling from DHT instance 2440 the record that was createdat the end of the flow illustrated in diagram 2405. Specifically, itshows the DHT instance 2445 of the third controller instance 2425receiving a DHT record request from its corresponding NIB 2450. The NIB2450 might need to pull a DHT record for a variety of reasons. Forinstance, when the NIB creates a new node for a new port, it might needto obtain some statistics regarding the port to populate its NIBrecords.

In response to the received DHT record request, the DHT instance 2445checks the hash value range list 2460 to identify the DHT instance thatstores the requested DHT record. To identify this DHT instance, the DHTinstance 2445 uses a hash index for the DHT record that it needs tolocate. In some embodiments, the DHT instance 2445 generates this hashvalue when it receives the request from the NIB 2450.

Based on the hash index, the DHT instance 2445 obtains the identity ofDHT instance 2440 from the DHT range list 2460. The DHT instance 2445then directs the DHT instance 2440 to provide the requested DHT record.In some embodiments, the DHT instance 2445 directs the DHT instance 2440for the requested record, by supplying the DHT instance 2440 with a Getcommand, which supplies the DHT instance 2440 with a key and/or a hashvalue based on the key. The DHT instance 2440 then supplies the valuestored in the specified DHT record to the DHT instance 2445, which, inturn, supplies this value to the NIB 2450.

3. PNTD

As described above, the system 2100 includes a PNTD 2155 in someembodiments of the invention. The PNTD stores information for a user orapplication to review. Examples of such information include errormessages, log files, and billing information. The PNTD can receive pushor pull commands from the application layer above the NOS, asillustrated in FIG. 26 by the arrow linking the PNTD 2645 to theapplication interface 2605. FIG. 26 will be described in detail furtherbelow.

In some embodiments, the PNTD is a distributed software database, suchas Cassandra. For example, in some embodiments, each instance's PNTDstores the records generated by that instance's applications or by otherapplications of other instances. Each instance's PNTD records can belocally accessed or remotely accessed by the other controller instanceswhenever these instances need these records. This distributed nature ofthe PNTD allows the PNTD to be scalable as additional controllerinstances are added to the control system. In other words, addition ofother controller instances increases the overall size of the PNTDstorage layer.

The system 2100 uses the PNTD to store information in a durable mannerthat does not require the same degree of replication as the PTD 2145. Insome embodiments, the PNTD is stored on a non-volatile storage medium,such as a hard disk.

The PNTD 2155 is a distributed storage structure similar to the DHTinstance 2150. Similar to the DHT, data records in the PNTD aredistributed across each NOS controller instance that has a PNTD.However, unlike the DHT or the PTD, the PNTD 2155 has no support for anytrigger or notification functionality. Similar to the DHT instance 2150,the PNTD 2155 has a configurable level of replication. In someembodiments, data records are stored only once across the entire system,in other embodiments the data records are replicated across aconfigurable portion of the controller instances running a PNTD toimprove the resiliency of the data records. In other words, the PNTD insome embodiments is not replicated across different instances or is onlypartially replicated across different instances, while in otherembodiments, the PNTD is replicated fully across different instances.

B. Coordination Manager

In some embodiments, the different controller instances of the system2100 communicate with each other through the secondary storagestructures, as described above. Also, as described above, the system2100 in some embodiments uses the CMs 2120 to facilitate much of thecommunication between the secondary storages of the different controllerinstances. The CM 2120 in each instance is also configured in someembodiments to specify control of different controller instances overdifferent switching elements.

FIG. 25 illustrates the CM 2500 of one controller instance of someembodiments. The CM 2500 provides several service operations that allowit to coordinate different sets of activities between its controllerinstance and other controller instances. Examples of such servicesinclude (1) maintaining order of all inter-instance requests, (2)maintaining lists of NOS instances, CM instances, NIB masters, andswitching element masters, (3) maintaining DHT range identifiers, (4)maintaining a list of triggered callbacks for PTD storage access, (5)providing an interface between the NIB and PTD storage layers, and (6)providing an interface to other CMs of other instances.

As shown in FIG. 25, the CM 2500 includes a CM-to-CM interface 2505, aNIB-to-PTD interface 2510, a master tracker 2515, a PTD trigger tracker2525, a CM processor 2530, a NOS tracker 2535, a DHT range identifier2545, an ordering module 2550, and a CM instance tracker 2555. TheCM-to-CM interface 2505 serves as the interface for passingcommunication between the different CMs of the different controllerinstances. Such communication is at times needed when distributing dataneeded for secondary storage layer communication between the differentinstances. For instance, such communication is needed to route one NIBchange from one controller that has a slave PTD to another controllerthat has a master PTD.

The NIB-to-PTD interface 2510 serves as the interface to facilitatecommunications between NIB and PTD storage layers. On the NIB side, theinterface 2510 communicates with transfer modules that import and exportdata to and from the NIB. On the PTD side, the interface 2510 in someembodiments communicates (1) with the CM-to-CM interface 2505 (throughthe CM processor 2530) to facilitate communication between master andslave PTDs, (2) with the query manager of the PTD to effectuate a PTDaccess (e.g., a PTD write), and (3) with the query manager of the PTD toreceive PTD layer callbacks when records change in the PTD. In someembodiments, the interface 2510 converts NIB queries to the PTD into aquery format that is suitable for the PTD. In other embodiments,however, the NIB transfer modules provide the PTD queries in a formatsuitable for the PTD.

The CM processor 2530 receives communications from each interface 2505or 2510. It routes such communications to the other interface, ifneeded, or to the other modules of the CM 2500, if needed. One exampleof a communication that the CM processor routes to the appropriate CMmodule is a PTD trigger call back that it receives from the PTD of itscontroller instance. As further described below, the PTD can beconfigured on a record-by-record basis to call back the CM when aparticular record has changed. The CM uses the PTD trigger tracker 2525to maintain a PTD trigger list 2570 that allows the CM to identify fordifferent PTD records, different sets of modules within the samecontroller instance or within other controller instances that the CMneeds to notify of the particular record's change in its associated PTD.Maintaining the PTD trigger list outside of the PTD is beneficial forseveral reasons, including keeping the size of the PTD small, avoidingreplication of such lists across PTDs, etc.

The CM processor 2530 also uses the ordering module 2550 to maintain theordering of the inter-instance communications and/or tasks. To maintainsuch ordering, the ordering modules of different embodiments usedifferent processes and ordering schemes. Some of these orderingprocesses maintain total ordering among packets exchanged between thedifferent controller instances. Examples of such ordering processesinclude the Paxos protocols and processes.

In some embodiments, the ordering module includes a time stamper totimestamp each communication that it receives that needs inter-instancecoordination. The timestamps allow the CM 2500 to process communicationsin an appropriate sequential manner to ensure data consistency andreliability across the instances for the communications (e.g., PTDstorage layer communications) that need such consistency andreliability. Instead of a time stamper, the CM processor 2530 uses othertechniques or modules in other embodiments to ensure that thecommunications that it receives are processed in the appropriatesequential manner to facilitate the proper coordination of activitiesbetween the different controller instances, as mentioned above.

The CM processor 2530 also directs the DHT range identifier 2545 togenerate and update the DHT range list 2565. In some embodiments, the CMprocessor directs the range identifier to update the range list 2565periodically or upon receiving a communication through one of theinterfaces 2505 or 2510. As discussed above, the DHT instances use therange list 2565 to identify the location of each DHT record in the DHTinstances. In some embodiments, the DHT instances access the DHT rangelist directly, while in other embodiments the DHT instances access thislist through the CM, which they access through a DHT-to-CM interface(not shown).

In addition to the DHT range list and the PTD trigger list, the CM 2500maintains four other lists, which are the CM instance list 2560, the NOSinstance list 2540, the switching element master list 2520, and the NIBmaster list 2575. The CM instance list 2560 is a list of all active CMinstances, and this list is maintained by CM Instance tracker 2555. TheNOS instance list 2540 is a list of all active NOS instances and thislist is maintained by the NOS tracker 2535.

The switch element and the NIB master lists 2520 and 2575 are maintainedby the master tracker 2515. In some embodiments, the switching elementmaster list identifies a master controller instance for each switchingelement, and one or more back-up controller instances for each mastercontroller in case the master controller fails. The CM 2500 designatesone controller instance within the control system as the master of anygiven switching element, in order to distribute the workload and toavoid conflicting operations from different controller instances. Bydistributing the control of these operations over several instances, thesystem can more easily scale up to handle additional switching elements.

In some embodiments, the NIB master list 2575 identifies (1) a masterfor each portion (e.g., each record or set of records) of the NIB, (2)one or more back up controller instances for each identified master touse in case the master fails, and (3) access and/or modification rightsfor each controller instance with respect to each portion of NIB. Evenwith one master controller as master of a portion of the NIB, differentcontroller instances can request a change to the portion controlled bythe master. If allowed, the master instance effectuates this change,which is subsequently written to the switching element by the switchelement master. Otherwise, the master rejects the request.

Some embodiments use the access and/or modification rights in the NIBmaster list to restrict changes to different portions of the NIB todifferent subsets of the controller instances. Each subset might onlyinclude in some embodiments the master controller instance that canmodify the NIB portion or the switching element record that correspondsto the NIB portion that is subject to the requested change.Alternatively, in some embodiments, a subset might include one or morecontroller instances in addition to the master controller instance forthe NIB portion.

In some embodiments, a first controller instance can be master of aswitch and a second controller instance can be master of a correspondingrecord for that switch in the NIB. In such a case, the second controllerinstance would determine whether a requested change to the NIB isallowed (e.g., from a control application of any of the controllerinstances), while the first controller instance would modify the switchrecords if the second controller instance modifies the NIB in responseto the requested change. If a request to change the NIB is not allowed,the NIB master controller (e.g., the second instance in the exampleabove) would reject the request. Different embodiments use differenttechniques to propagate NIB modification requests through a controlsystem, and some of these techniques are described below.

In some embodiments, each controller instance queries its CM 2500 todetermine whether it is the master of the NIB portion for which itreceives a NIB change, or whether it is the master of the switchingelement for which it has detected a change in the NIB. The CM 2500 thenexamines its NIB master list 2575 (e.g., through the CM processor 2530and master tracker 2515) or its switch master list 2520 (e.g., throughthe CM processor 2530 and master tracker 2515) to determine whether theinstance is the master of the switching element.

By allowing rights to be specified for accessing and/or modifying NIBrecords, the CM 2500 allows the control system 2100 to partitionmanagement of logical data path sets (also referred to as serializedmanagement of logical data path sets). Each logical data path setincludes one or more logical data paths that are specified for a singleuser of the control system. Partitioning management of the logical datapath sets involves specifying for each particular logical data path setonly one controller instance as the instance responsible for changingNIB records associated with that particular logical data path set. Forinstance, when the control system uses three switching elements tospecify five logical data path sets for five different users with twodifferent controller instances, one controller instance can be themaster for NIB records relating to two of the logical data path setswhile the other controller instance can be the master for the NIBrecords for the other three logical data path sets. Portioningmanagement of logical data path sets ensures that conflicting values forthe same logical data path sets are not written to the NIB by twodifferent controller instances, and thereby alleviates the applicationsrunning on top of the NOS from guarding against the writing of suchconflicting values.

Irrespective of whether the control system partitions management oflogical data path sets, the control system of some embodiments allowsone control application that operates on controller instance to requestthat the control system lock down or otherwise restrict access to one ormore NIB records for an entire logical data path set or a portion of it,even when that controller instance is not the master of that logicaldata path set. In some embodiments, this request is propagated throughthe system (e.g., by any propagation mechanism, including NIB/PTDreplication, etc.) until it reaches the controller instance that is themaster of the NIB portion. In some embodiments, the system allows eachlock down operation to be specified in terms of one or more tasks thatcan be performed on one or more data records in the NIB.

The CM 2500 of the master controller determines whether a request tolock down or otherwise restrict access to a set of NIB records isallowed. If so, it will modify the records in its NIB master list sothat subsequent requests for modifying the affected set of NIB recordsby other controller instances will be appropriately restricted.

In some embodiments, the CMs across all of the controller instancesperform unified coordination activity management in a distributedmanner. This coordination is facilitated by the CM processor 2530 andthe procedures that it follows. In some embodiments, some or all of themodules of the CM 2500 are implemented by using available coordinationmanagement applications. For instance, some embodiments employ theApache Zookeeper application to implement some or all of the modules ofthe CM 2500.

As mentioned above, the CMs of some embodiments facilitateintra-controller communication related to fault tolerance of controllerinstances. As such, some embodiments of the CM-to-CM interface 2505 passthese fault tolerance communications between the different CMs of thedifferent controller instances. In some of these embodiments, the CMprocessor 2530 executes Apache Zookeeper, which implements the Paxosprotocols, for determining whether a controller instance has failed. Inaddition, the CM processor 2530 of some such embodiments defines atimeout for determining that a controller instance is non-responsive andthus has failed. In other such embodiments, the timeout may bepredefined. Furthermore, upon failure of a controller instance, someembodiments of the CM processor 2530 may be responsible for performing amaster election process(es) to elect a new master controller instance(e.g., for logical data path sets and switching elements of which thefailed controller instance was a master) to replace the failedcontroller instance.

IV. Controller Instance

A. Architecture

FIG. 26 conceptually illustrates a single NOS instance 2600 of someembodiments. This instance can be used as a single NOS instance in thedistributed control system 2100 that employs multiple NOS instances inmultiple controller instances. Alternatively, with slight modifications,this instance can be used as a single NOS instance in a centralizedcontrol system that utilizes only a single controller instance with asingle NOS instance. The NOS instance 2600 supports a wide range ofcontrol scenarios. For instance, in some embodiments, this instanceallows an application running on top of it (e.g., a control orvirtualization application) to customize the NIB data model and havecontrol over the placement and consistency of each element of thenetwork infrastructure.

Also, in some embodiments, the NOS instance 2600 provides multiplemethods for applications to gain access to network entities. Forinstance, in some embodiments, it maintains an index of all of itsentities based on the entity identifier, allowing for direct querying ofa specific entity. The NOS instance of some embodiments also supportsregistration for notifications on state changes or the addition/deletionof an entity. In some embodiments, the applications may further extendthe querying capabilities by listening for notifications of entityarrival and maintaining their own indices. In some embodiments, thecontrol for a typical application is fairly straightforward. It canregister to be notified on some state change (e.g., the addition of newswitches and ports), and once notified, it can manipulate the networkstate by modifying the NIB data tuple(s) (e.g., key-value pairs) of theaffected entities.

As shown in FIG. 26, the NOS 2600 includes an application interface2605, a notification processor 2610, a notification registry 2615, a NIB2620, a hash table 2624, a NOS controller 2622, a switch controller2625, transfer modules 2630, a CM 2635, a PTD 2640, a CM interface 2642,a PNTD 2645, a DHT instance 2650, switch interface 2655, and a NIBrequest list 2660.

The application interface 2605 is a conceptual illustration of theinterface between the NOS and the applications (e.g., control andvirtualization applications) that can run on top of the NOS. Theinterface 2605 includes the NOS APIs that the applications (e.g.,control or virtualization application) running on top of the NOS use tocommunicate with the NOS. In some embodiments, these communicationsinclude registrations for receiving notifications of certain changes inthe NIB 2620, queries to read certain NIB attributes, queries to writeto certain NIB attributes, requests to create or destroy NIB entities,instructions for configuring the NOS instance (e.g., instructionsregarding how to import or export state), requests to import or exportentities on demand, and requests to synchronize NIB entities withswitching elements or other NOS instances.

The switch interface 2655 is a conceptual illustration of the interfacebetween the NOS and the switching elements that run below the NOSinstance 2600. In some embodiments, the NOS accesses the switchingelements by using the OpenFlow or OVS APIs provided by the switchingelements. Accordingly, in some embodiments, the switch interface 2655includes the set of APIs provided by the OpenFlow and/or OVS protocols.

The NIB 2620 is the data storage structure that stores data regardingthe switching elements that the NOS instance 2600 is controlling. Insome embodiments, the NIB just stores data attributes regarding theseswitching elements, while in other embodiments, the NIB also stores dataattributes for the logical data path sets defined by the user. Also, insome embodiments, the NIB is a hierarchical object data structure (suchas the ones described above) in which some or all of the NIB objects notonly include data attributes (e.g., data tuples regarding the switchingelements) but also include functions to perform certain functionalitiesof the NIB. For these embodiments, one or more of the NOSfunctionalities that are shown in modular form in FIG. 26 are conceptualrepresentations of the functions performed by the NIB objects. Severalexamples of these conceptual representations are provided below.

The hash table 2624 is a table that stores a hash value for each NIBobject and a reference to each NIB object. Specifically, each time anobject is created in the NIB, the object's identifier is hashed togenerate a hash value, and this hash value is stored in the hash tablealong with a reference (e.g., a pointer) to the object. The hash table2624 is used to quickly access an object in the NIB each time a dataattribute or function of the object is requested (e.g., by anapplication or secondary storage). Upon receiving such requests, the NIBhashes the identifier of the requested object to generate a hash value,and then uses that hash value to quickly identify in the hash table areference to the object in the NIB. In some cases, a request for a NIBobject might not provide the identity of the NIB object but insteadmight be based on non-entity name keys (e.g., might be a request for allentities that have a particular port). For these cases, the NIB includesan iterator that iterates through all entities looking for the keyspecified in the request.

The notification processor 2610 interacts with the application interface2605 to receive NIB notification registrations from applications runningon top of the NOS and other modules of the NOS (e.g., such as an exportmodule within the transfer modules 2630). Upon receiving theseregistrations, the notification processor 2610 stores notificationrequests in the notification registry 2615 that identifies eachrequesting party and the NIB data tuple(s) that the requesting party istracking.

As mentioned above, the system of some embodiments embeds in each NIBobject a function for handling notification registrations for changes inthe value(s) of that NIB object. For these embodiments, the notificationprocessor 2610 is a conceptual illustration of the amalgamation of allthe NIB object notification functions. Other embodiments, however, donot provide notification functions in some or all of the NIB objects.The NOS of some of these embodiments therefore provides an actualseparate module to serve as the notification processor for some or allof the NIB objects.

When some or all of the NIB objects have notification functions in someembodiments, the notification registry for such NIB objects aretypically kept with the objects themselves. Accordingly, for some ofthese embodiments, the notification registry 2615 is a conceptualillustration of the amalgamation of the different sets of registeredrequestors maintained by the NIB objects. Alternatively, when some orall of the NIB objects do not have notification functions andnotification services are needed for these objects, some embodiments usea separate notification registry 2615 for the notification processingmodule 2610 to use to keep track of the notification requests for suchobjects.

The notification process serves as only one manner for accessing thedata in the NIB. Other mechanisms are needed in some embodiments foraccessing the NIB. For instance, the secondary storage structures (e.g.,the PTD 2640 and the DHT instance 2650) also need to be able to importdata from and export data to the NIB. For these operations, the NOS 2600uses the transfer modules 2630 to exchange data between the NIB and thesecondary storage structure.

In some embodiments, the transfer modules include a NIB import moduleand a NIB export module. These two modules in some embodiments areconfigured through the NOS controller 2622, which processesconfiguration instructions that it receives through the interfaces 2605from the applications above the NOS. The NOS controller 2622 alsoperforms several other operations. As with the notification processor,some or all of the operations performed by the NOS controller areperformed by one or more functions of NIB objects, in some of theembodiments that implement one or more of the NOS 2600 operationsthrough the NIB object functions. Accordingly, for these embodiments,the NOS controller 2622 is a conceptual amalgamation of several NOSoperations, some of which are performed by NIB object functions.

Other than configuration requests, the NOS controller 2622 of someembodiments handles some of the other types of requests directed at theNOS instance 2600. Examples of such other requests include queries toread certain NIB attributes, queries to write to certain NIB attributes,requests to create or destroy NIB entities, requests to import or exportentities on demand, and requests to synchronize NIB entities withswitching elements or other NOS instances.

In some embodiments, the NOS controller stores requests to change theNIB on the NIB request list 2660. Like the notification registry, theNIB request list in some embodiments is a conceptual representation of aset of distributed requests that are stored in a distributed manner withthe objects in the NIB. Alternatively, for embodiments in which some orall of the NIB objects do not maintain their modification requestslocally, the request list is a separate list maintained by the NOS 2600.The system of some of these embodiments that maintains the request listas a separate list, stores this list in the NIB in order to allow forits replication across the different controller instances through thePTD storage layer. As further described below, this replication allowsthe distributed controller instances to process in a uniform manner arequest that is received from an application operating on one of thecontroller instances.

Synchronization requests are used to maintain consistency in NIB data insome embodiments that employ multiple NIB instances in a distributedcontrol system. For instance, in some embodiments, the NIB of someembodiments provides a mechanism to request and release exclusive accessto the NIB data structure of the local instance. As such, an applicationrunning on top of the NOS instance(s) is only assured that no otherthread is updating the NIB within the same controller instance; theapplication therefore needs to implement mechanisms external to the NIBto coordinate an effort with other controller instances to controlaccess to the NIB. In some embodiments, this coordination is static andrequires control logic involvement during failure conditions.

Also, in some embodiments, all NIB operations are asynchronous, meaningthat updating a network entity only guarantees that the update willeventually be pushed to the corresponding switching element and/or otherNOS instances. While this has the potential to simplify the applicationlogic and make multiple modifications more efficient, often it is usefulto know when an update has successfully completed. For instance, tominimize disruption to network traffic, the application logic of someembodiments requires the updating of forwarding state on multipleswitches to happen in a particular order (to minimize, for example,packet drops). For this purpose, the API of some embodiments providesthe synchronization request primitive that calls back one or moreapplications running on top of the NOS once the state has been pushedfor an entity. After receiving the callback, the control application ofsome embodiments will then inspect the content of the NIB and determinewhether its state is still as originally intended. Alternatively, insome embodiments, the control application can simply rely on NIBnotifications to react to failures in modifications as they would reactto any other network state changes.

The NOS controller 2622 is also responsible for pushing the changes inits corresponding NIB to switching elements for which the NOS 2600 isthe master. To facilitate writing such data to the switching element,the NOS controller 2622 uses the switch controller 2625. It also usesthe switch controller 2625 to read values from a switching element. Toaccess a switching element, the switch controller 2625 uses the switchinterface 2655, which, as mentioned above, uses OpenFlow or OVS, orother known sets of APIs in some embodiments.

Like the PTD and DHT storage structures 2145 and 2150 of the controlsystem 2100 of FIG. 21, the PTD and DHT storage structures 2640 and 2650of FIG. 26 interface with the NIB and not the application layer. Inother words, some embodiments only limit PTD and DHT layers tocommunicate between the NIB layer and these two storage layers, and tocommunicate between the PTD/DHT storages of one instance and PTD/DHTstorages of other instances. Other embodiments, however, allow theapplication layer (e.g., the control application) within one instance toaccess the PTD and DHT storages directly or through the transfer modules2630. These embodiments might provide PTD and DHT access handles (e.g.,APIs to DHT, PTD or CM interface) as part of the application interface2605, or might provide handles to the transfer modules that interactwith the PTD layer (e.g., the CM interface 2642) and DHT layers, so thatthe applications can directly interact with the PTD and DHT storagelayers.

Also, like structures 2145 and 2150, the PTD 2640 and DHT instance 2650have corresponding lists of triggers that are respectively maintained inthe CM interface 2642 and the DHT instance 2650. The use of thesetriggers will be further described below. Also, like the PNTD 2155 ofthe control system 2100, the PNTD 2645 of FIG. 26 does not interfacewith the NIB 2620. Instead, it interfaces with the application layerthrough the application interface 2605. Through this interface, theapplications running on top of the NOS can store data in and retrievedata from the PNTD. Also, applications of other controller instances canaccess the PNTD 2645, as shown in FIG. 26.

The process for applications registering for NIB notifications will nextbe described in sub-section IV.B. After this discussion, the process forinteracting with the DHT and/or PTD upon modification of the NIB will bedescribed in sub-section IV.C. Next, the process for handling NIB changerequests from the application will be described in sub-section IV.D.

B. Application Registering for NIB Notification

FIG. 27 illustrates a process 2700 that registers NIB notifications forapplications running above the NOS and calls these applications upon thechange of NIB records. In some embodiments, this process is performed bythe notification function of each NIB object that can receive NIBnotification registrations. Alternatively, this process can be performedby the notification processor 2610 for each NIB data record for which itcan register a notification request.

As shown in FIG. 27, the process 2700 initially registers (at 2710) anotification request for one application for a particular NIB datarecord. This request is recorded in the NIB data record's correspondingnotification list in some embodiments, or in combined notification listfor several NIB data records in other embodiments. After 2710, theprocess 2700 determines (at 2720) whether it should end. The processends in some embodiments when it does not have any notifications left onits list of notifications for the particular NIB data record.

When the process determines (at 2720) that it should not end, theprocess determines (at 2730) whether the particular NIB data haschanged. If not, the process transitions to 2760, which will be furtherdescribed below. When the process determines (at 2730) that theparticular NIB data has changed, the process determines (at 2740)whether any application callbacks were triggered by the NIB data change.Such callbacks would be triggered always in embodiments that call backone or more applications when one or more callback notifications are onthe notification lists. For such embodiments, the determination (at2740) is not needed. Other embodiments, however, allow the callbacks tobe set conditionally (e.g., based on the value of the changed record).In these embodiments, the determination (at 2740) entails determiningwhether the condition for triggering the callback has been met.

When the process determines (at 2740) that it needs to call back one ormore applications and notify them of the changes to the NIB records, theprocess sends (at 2750) the notification of the NIB record change alongwith the new value for the changed NIB record to each application thatit needs to notify (i.e., to each application that is on thenotification list and that needs to be notified). From 2750, the processtransitions to 2760. The process also transitions to 2760 from 2740 whenit determines that no application callbacks were triggered by the NIBrecord change.

At 2760, the process determines whether any new notification requestsneed to be registered on the callback notification list. If so, theprocess transitions to 2710, which was described above. Otherwise, theprocess transitions to 2770, where it determines whether any request todelete notification requests from the notification list has beenreceived. If not, the process transitions to 2720, which was describedabove. However, when the process determines (at 2770) that it needs todelete a notification request, it transitions to 2780 to delete thedesired notification request from the notification list. From 2780, theprocess transitions to 2720, which was described above.

C. Secondary Storage Records and Callbacks

FIG. 28 conceptually illustrates a process 2800 that the NIB exportmodule of the transfer modules 2630 performs in some embodiments. Insome embodiments, the export module performs this process each time itreceives a notification of a NIB record change, which may require theexport module to create one or more new data records in one or more ofthe secondary storages or to update previously created data records inthe secondary storages. The secondary storages that are at issue in someembodiments are the PTD 2640 and the DHT instance 2650. However, inother embodiments, the process 2800 may interact with other secondarystorages.

As shown in FIG. 28, the process 2800 initially receives (at 2805) anotification of a change of a record within the NIB. The process 2800receives such notification in some embodiments because it previouslyregistered for such notifications with the NIB (e.g., with anotification processor 2610 of the NIB, or with the notificationfunction of the NIB record that was changed).

After 2805, the process determines (at 2810) whether the notificationrelates to creation of a new object in the NIB. If the notification doesnot correspond to a new NIB object, the process transitions to 2845,which will be described further below. Otherwise, the process determines(at 2815) whether it needs to direct one or more secondary storages tocreate one or more records to correspond to the newly created NIBrecord. When the process determines (at 2815) that it does not need todirect any secondary storages to create any new records, the processends. Otherwise, the process selects (at 2820) a secondary storagestructure and directs (at 2825) this secondary storage structure tocreate a record that would correspond to the newly created NIB object.In the case of the DHT, the process 2800 directly interfaces with aquery manager of the DHT to make this request for a new record. In thecase of the PTD, however, this request is routed to the master PTDthrough the CM(s) and CM interface(s) that serve as the interfacebetween the PTD and the NIB layers.

After 2825, the process, if necessary, registers (at 2830) for acallback from the selected secondary storage structure to the importmodule of the transfer modules 2630. This callback is triggered in someembodiments whenever the newly created record in the selected secondarystorage structure changes. In some embodiments, this callback notifiesthe import module that a record has changed in the secondary storagestructure.

In the case of the PTD 2640, the process 2800 in some embodimentsdirects the CM interface 2642 of the master PTD to create a trigger forthe newly created PTD record and to identify the import module as themodule to call back when the newly created PTD record has changed. Asmentioned above, the CM processor then receives this request and directsthe PTD trigger tracker of the master PTD to create such a triggerrecord in its PTD trigger list for the newly created PTD record.

FIG. 29 illustrates an example of such trigger records that aremaintained for different PTD records in a PTD trigger list 2955. Asshown in this figure, this list stores a set of zero or more importmodules of zero or more controller instances to callback when the newlyPTD record is changed. Also, this figure shows that the PTD in someembodiments stores a callback to a CM module (e.g., to the CM processoror to the PTD tracker) for each PTD record. A callback is made for arecord from the PTD whenever that PTD record is modified. Whenever sucha callback is received for a PTD record, the PTD trigger list is checkedfor that record to determine whether the import module of any controllerinstance needs to be notified.

In the case of the DHT, the process in some embodiments directs the DHTquery manager to register a trigger for the newly created DHT record andto identify the import module of the NIB that originated the change asthe module to call back, when the newly created DHT record has changed.FIG. 30 illustrates that the DHT record trigger is stored with the newlycreated record in some embodiments. Specifically, it shows that each DHTrecord has a hash index, a data value and the identity of one or moreNIB import modules (of controller instances) to call back. More than oneNIB import modules will be in the callback list because, in someembodiments, each time one controller instance's NIB does a DHT query,it records a NIB callback registration that identifies its NIB'scorresponding import module. As further described below, the newlycreated DHT record will not necessarily be in the same instance as theNIB that originated the change received at 2805.

Instead of registering for a callback at 2830 upon creation of a new NIBrecord, the process 2800 of other embodiments uses other techniques forregistering callbacks to the NIB from one or more of the secondarystorage structures. For instance, in some embodiments, the NIB importmodule of a controller instance registers for callbacks from the masterPTD when the NIB and the import module are instantiated. In someembodiments, such callbacks are registered with the CM interface of themaster PTD, and the CM interface performs these callbacks when themaster PTD notifies it that one of its records has changed. Someembodiments use a similar approach to register for callbacks from theDHT, while other embodiments use the process 2800 (or similar process)to register callbacks (e.g., at 2830) for the DHT.

After 2830, the process adds (at 2835) the selected secondary storagestructure to the list of modules that it needs to notify when the newlycreated NIB record has changed. The process then determines (at 2840)whether it has to select another secondary storage structure in which ithas to create a new record to correspond to the newly created NIBrecord. In some embodiments, the process 2800 can at most create a newrecord in the master PTD and a new record in one DHT instance. In otherembodiments, however, the process can create more than these two recordsin more than two secondary storages of the controller instances of thecontrol system.

When the process determines (at 2840) that it does not need to create arecord in any other secondary storage structure, it ends. However, whenthe process determines (at 2840) that it needs to create a new record inanother secondary storage structure, it returns to 2820 to selectanother secondary storage structure and repeat its operations 2825 to2840 for this structure.

When the process determines (at 2810) that the NIB change notificationthat it has received does not correspond to a new NIB object, theprocess transitions to 2845. At 2845, the process determines whether anysecondary storages need to be notified of this NIB change. If not, theprocess ends. Otherwise, the process selects (at 2850) a secondarystorage to notify and then notifies (at 2855) the selected secondarystorage. In some embodiments, the notification of the selected secondarystorage always or at times entails generating a write command to thesecondary storage to direct it to modify a value of its record thatcorresponds to the NIB record which has been modified (i.e., which wasthe NIB record identified at 2805).

After 2855, the process determines (at 2860) whether it needs to notifyany other secondary storage of the NIB change. If so, the processreturns to 2850 to select another secondary storage structure to notify.Otherwise, the process ends.

FIG. 31 illustrates a process 3100 that the NIB import module of thetransfer modules 2630 performs in some embodiments. In some embodiments,the import module performs this process each time it receives anotification of a record change in a secondary storage structure, whichmay require the import module to update previously created data recordsin the secondary storages. The secondary storages that are at issue insome embodiments are the PTD 2640 and the DHT instance 2650. However, inother embodiments, the process 2800 may interact with other secondarystorages.

As shown in FIG. 31, the process 3100 initially receives (at 3105) anotification of a change of a record within the secondary storagestructure. The process 3100 receives such notification in someembodiments because the process 2800 previously registered for suchnotifications at 2830. After 3105, the process determines (at 3110)whether the notification relates to a change that needs to be importedinto the NIB. If not, the process ends. Otherwise, the process queries(at 3115) the secondary storage structure (e.g., queries the PTD querymanager through the CM interface, or queries the DHT query manager) forthe new value of the changed record. At 3115, the process also registersanother notification in the secondary storage structure for the recordfor which it receives the notification at 3105, if such a registrationis desired and necessary. After 3115, the process imports (at 3120) thereceived changed value into the NIB and then ends.

FIG. 32 presents a data flow diagram 3200 that shows the combinedoperations of the export and import processes 2800 and 3100.Specifically, it shows the creation of a record in the secondary storagelayer upon creation of a new record in the NIB, and a subsequentmodification of the newly created NIB record in the secondary storagelayer. In this example, the secondary storage layer could be either aPTD or a DHT. If the illustrated operation involved the PTD, then theinteraction would have to pass through the master PTD. If theillustrated operation involved the DHT, then the newly created DHTrecord could be stored on a NOS controller's DHT instance that is remotefrom the NIB that has a newly created record. However, to keep theillustration simple, FIG. 32 does not show any of the interactions withthe remote controller instances. Accordingly, this illustration is onlymeant to be a conceptualization of some of the sequence of operations,but not necessarily representative of the exact sequence of operationsinvolved otherwise.

FIG. 32 illustrates in six stages the creation of a NIB record and theupdating of that NIB record after its corresponding record in thesecondary storage layer is changed. In the first stage 3201, the systemis shown at steady state. This first stage illustrates a NIB 3210 and asecondary storage layer 3250, which may be in the same controllerinstance or may be in different controller instances. The first stage3201 also shows an export module 3230 and import module 3240 between theNIB 3210 and the secondary storage layer 3250. These two modulescollectively form a set of transfer modules 3220 that facilitate theexchange of data between the NIB 3210 and secondary storage layer 3250.

In the second stage 3202, the NIB 3210 adds a new NIB entity, which isillustrated by an arrow pointing to a new NIB node 3260. The value ofthis new NIB record 3260 is “X” in this example. Next, in the thirdstage 3203, the export module 3230 in the set of transfer modulesreceives notification of the newly created entity 3260 in the NIB. Uponreceipt of this notification, the export module 3230 creates a newrecord 3270 in the secondary storage layer as illustrated by the arrowstarting at the export module and ending at the box 3270 in thesecondary storage layer 3250. The third stage 3203 shows that the value“X” is stored in the newly created record 3270 in the secondary storagelayer 3250. In the third stage, the export module 3230 also directs thesecondary storage layer to create a trigger in the secondary storagelayer (e.g., to create a DHT trigger in the DHT, or to create a PTDtrigger in the CM) and register the identity of the import module 3240as a module to call back in case the new record 3270 changessubsequently.

The fourth stage 3204 illustrates the updating of the record 3270 in thesecondary storage at a subsequent point in time. This updating resultsin a new value “S” being stored in this record 3270. This updatingresults in the identification of the notification trigger stored at thedirection of the export module 3230, and the subsequent identificationof the import module 3240 as a module to notify of the NIB change.

The fifth stage 3205 illustrates that after the identification of theimport module 3240, this module 3240 receives notification of the changeto the record 3270 that occurred in the fourth stage 3204. With thedouble arrow connection between the import module 3240 and the record3270, the fifth stage 3205 also shows that the import module queries thesecondary storage structure to receive the new value “S” once itdetermines that it needs to import this new value into the NIB. In thesixth, and final stage 3206, the import module 3240 imports the newvalue “S” into the NIB record 3260 to reflect the change that occurredto the corresponding record 3270 in the secondary storage layer in thefourth stage 3204. This process shows how the transfer modules maintainconsistency between the NIB and the secondary storage layer through useof export and import modules.

D. Application Requesting NIB Changes

The discussion above describes how the applications and export modulesregister notifications with the NIB and how the import modules importdata into the NIB, in some embodiments of the invention. Another NIBlayer interaction involves the applications requesting through theapplication interface 2605 changes in the NIB. Some embodiments allowall applications to make such requests, but only make changes based onsome of the application requests.

As further described below, in some embodiments, the system replicatesthe PTDs and NIBs across multiple controller instances. In someembodiments, the system takes advantage of this replication todistribute a request by one application to modify the NIB. For instance,in some embodiments, a request to modify the NIB from one controllerinstance's application is stored in a NIB request list 2660 within theNIB 2620. As this list is part of the NIB, additions to it arepropagated to the NIBs of the other controller instances through theNIB/PTD replication process, which will be further described below.

Each controller instance then subsequently retrieves the request fromits NIB's request list and determines whether it should process the NIBchange. The controller instance that should process the received NIBmodification request and change the NIB then determines whether thischange should be made, and if it determines that it should, it thenmodifies its NIB based on the request. If this controller instancedetermines that it should not grant this request, it rejects therequest. In some embodiments, the NOS controller 2622 of the NOS 2600 isthe module of the controller instance that decides whether it shouldprocess the request, and if so, whether it should make the desiredchange based on the request or deny this request. As mentioned above,the NOS controller 2622 in some embodiments is a conceptual amalgamationof several different functions in several different NIB objects thatprocess NIB modification requests from the application layer.

In some embodiments, the NOS controller 2622, which makes or denies therequested NIB modification, records a response to the specified requestin a response list in the NIB. This response list is part of the requestlist in some embodiments. Alternatively, this response list is aconceptual amalgamation of various response fields or attributes invarious NIB objects. This response list is propagated to the other NIBsthrough the NIB/PTD replication process. Each NOS controller 2622 ofeach controller instance examines the response list to determine whetherthere are any responses that it needs to process. Accordingly, the NOScontroller 2622 of the controller instance that originated the NIBrequest modification removes the response added to the list by thecontroller that made or denied the NIB modification. Based on thisresponse, this NOS controller then supplies an acknowledgment or adenial of the change to the application that originated the request.

For some embodiments of the invention, FIG. 33 illustrates threeprocesses 3305, 3310, and 3315 for dealing with a NIB modificationrequest from an application (e.g., a control application) running on topof a NOS on one controller instance. Two of these processes 3305 and3315 are performed by one controller instance, while the third 3310 isperformed by each controller instances. Specifically, the first process3305 is performed by the controller instance that receives the NIBmodification request from an application that runs within that instance.This process starts (at 3320) when the NIB modification request isreceived. Next, the process 3305 changes (at 3325) the request list inthe NIB to reflect this new request. As this list is part of the NIB,additions to it are propagated to the NIBs of the other controllerinstances through the NIB/PTD replication process that replicates theNIBs and PTDs across all the controller instances. After 3325, theprocess 3305 ends.

Process 3310 is a process that each controller instance subsequentlyperforms when it receives notification of the change to the requestlist. In some embodiments, this process previously registered to benotified of NIB modifications (e.g., with the notification processor2610) whenever the request list is modified. As shown in FIG. 33, theprocess 3310 initially retrieves (at 3327) the newly received requestfrom the request list. It then determines (at 3330) whether itscontroller instance is the master of the portion of the NIB beingchanged. In some embodiments, the process 3310 makes this determinationby querying the CM interface 2642 to inquire whether its controllerinstance is the master of the portion of the NIB being changed. Asmentioned above, some embodiments have a one-to-one correlation betweenan instance being the master of a NIB data record and the instance beingthe master of the corresponding record in the switching element, whileother embodiments allow one instance to be the master of a NIB datarecord and another instance be the master of the corresponding record inthe switching element.

When the process 3310 determines (at 3330) that its controller instanceis not the master of the NIB portion being changed, it ends. Otherwise,the process calls (at 3335) the NIB updater process 3315, and then ends.

Process 3315 is the process that is performed by the controller instancethat should process the received NIB modification request (i.e., by thecontroller instance that is the master of the NIB portion beingchanged). As shown in FIG. 33, this process initially determines (at3340) whether it should make the requested change. The process 3315denies this request if it determines (at 3340) that the requestingapplication does not have authority to change the identified NIBportion. This might be the case if the application simply does not havethis authority, if another application or instance locked the identifiedNIB portion from being modified by some or all other applications and/orinstances, or if the state has changed significantly since the requestwas made.

When the process determines (at 3340) the requested NIB modificationshould not be made, it transitions to 3355, which will be describedfurther below. Otherwise, when the process determines (at 3340) that itshould perform the requested NIB modification, it makes (at 3350) thismodification in the NIB and then transitions to 3355.

At 3355, the process removes the modification request from the requestlist. After 3355, the process transitions to 3360, at which point itupdates the response list in the NIB to reflect an acknowledgement thatit has made the desired modification. After 3360, the process ends.

The response list is propagated to the other NIBs through the NIB/PTDreplication process. The NOS controller of the controller instance thatoriginated the NIB request modification removes the response added tothe list by the controller that made or denied the NIB modification.Based on this response, this NOS controller then supplies anacknowledgment or a denial of the change to the application thatoriginated the request.

Some embodiments perform variations of the processes 3305-3315. Forinstance, in some embodiments, the process 3305 that handles theincoming NIB modification request from an application of its controllerinstance, initially determines whether the NIB modification needs amaster controller to perform the modification. If not, the process 3305implements this change in some embodiments. Also, while some embodimentspropagate the NIB modification request through the PTD storage layer,other embodiments propagate the NIB modifications through the DHTstorage layer.

As described above, FIG. 33 illustrates that in some embodimentsrequests to modify the NIB from one controller instance are propagatedthrough NIB request lists to the controller instance that is responsiblefor managing the portion of the NIB that the request identifies for themodification. In such a case, the NIB of some embodiments is used as amedium for communication between different controller instances andbetween the processing layers of the controller instances (e.g., acontrol application, a virtualization application, and a NOS). Otherexamples of the NIB as a communication layer between controllerinstances exist. For example, one controller instance might generatephysical control plane data for a particular managed switching element.This update is then transmitted through the secondary storage layer tothe NIB of another controller instance that is the master of theparticular managed switching element. This other controller instancethen pushes the physical control plane data to the particular managedswitching element. Also, the NIB may be used as a communication layerbetween different applications of one controller instance. For instance,a control application can store logical forwarding plane data in the NIBand a virtualization application may retrieve the logical forwardingplane data from the NIB, which the virtualization application thenconverts to physical control plane data and stores in the NIB.

V. Secondary Storage

A. DHT

FIG. 34 illustrates a DHT storage structure 3400 of a single NOSinstance for some embodiments of the invention. The DHT storagestructure 3400 enables controller instances to share informationefficiently and enables system administrators to expand controllerinstance data storage capabilities in a scalable manner. As shown inFIG. 34, a DHT storage structure includes a query manager 3405, atrigger processor 3410, a DHT range list 3415, a remote DHT interfacemodule 3420, a hash generator 3425, and a hash table 3430.

In several embodiments described below, the query manager 3405 receivesqueries only from other DHT storage structures and from the import andexport modules of the controller instance that includes the DHT storagestructure 3400. In other embodiments, the query manager 3405 alsoreceives queries from applications running on top of the NOS instances.

The query manager 3405 interacts with the other software modulescontained inside of the DHT storage structure 3400 in order to processqueries. In some embodiments, the query manager 3405 can handle “put”and “get” queries. When the query manager 3405 receives a “put” query,it adds or changes a data record in the hash table 3430. When the querymanager 3405 receives a “get” query, the query manager 3405 retrieves adata record from the hash table 3430 and returns this data record to thequerying entity.

The query manager in some embodiments can receive a query with a keyvalue for a record in the hash table. In some of these embodiments, thequery in some cases can also include a hash value that corresponds tothe hash of the key value, whereas the query in other cases does notinclude a hash value.

The hash generator 3425 is used by the query manager 3405 to generate ahash value for a received key value. For instance, when query managerreceives a query that does not specify a hash value, it sends the queryalong with the received key value. The hash generator 3425 contains andexecutes one or more hash functions on the received key value togenerate a hash value. The hash generator 3425 sends hash values that itgenerates to the query manager 3405.

The DHT range list 3415 contains a list of hash value ranges, withdifferent ranges being associated with different DHT instances ofdifferent controller instances. The CM (e.g., CM 2635) periodicallyupdates the DHT range list 3415, as described above and furtherdescribed below. The query manager 3405 uses the DHT range list toidentify the DHT instance that contains a DHT record associated with ahash value that it receives from the hash generator 3425 or receiveswith the query. For a particular hash value, the DHT range list 3415might specify the current DHT instance (i.e., the DHT instance whosequery manager is currently processing the DHT query) as the location ofthe corresponding DHT record, or alternatively, it can specify anotherDHT instance that runs in another controller instance as the location ofthe desired DHT record.

When the DHT range list 3415 shows that the hash value falls within arange of another DHT instance, the query manger 3405 uses its remote DHTmodule interface to pass the query to the remote DHT that contains thedesired DHT record. In some embodiments, the query manager 3405 alsosends the hash value the local hash generator 3425 so that the remotehash generator does not need to re-compute this hash value. Afterprocessing the query, the remote DHT data structure will send therequested data record to the requesting query manager 3405 through itsremote DHT interface module 3420. Thus, the remote DHT interface module3420 serves two functions. First, the remote DHT interface module 3420sends queries, data records, and hash values to remote DHT storagestructures. Second, the remote DHT interface module 3420 receivesqueries, data records, and hash values from remote DHT storagestructures. The remote DHT interface module 3420 enables the querymanagers of all the DHT storage structures in the network to share theinformation stored in their local hash tables.

When the DHT range list 3415 shows that a hash value is stored locally,the query manager 3405 will use the hash value to access its local hashtable 3430 for the hash record associated with the hash value. The hashtable 3430 contains several data records and a hash value for each datarecord. When this table receives a hash value, it returns the datarecord associated with the hash value.

The trigger processor 3410 handles trigger notifications when the querymanager modifies a record in the local hash table 3430. Whenever thequery manager writes a new value in the hash table, the hash table insome embodiments returns a set of identities for a set of modules tonotify in the same or different controller instances. The triggerprocessor receives this set of identities. It then notifies theassociated modules of the change to the DHT record. If needed, themodules then query the DHT instance to retrieve the new value for theDHT record.

Other embodiments may implement the triggering process differently. Forinstance, in conjunction with or instead of triggering based on writesto the hash table, the triggering in some embodiments is performed basedon deletes from the hash table. Also, instead of just calling backmodules to notify them that a DHT record value has changed, someembodiments send the new value of the DHT record along with thenotification to the modules that are called back.

The description of the operation of the DHT storage structure 3400 willnow be described in reference to FIGS. 35, 36, and 37. FIG. 35illustrates a simple example of the operation of the DHT storagestructure 3400 for the case where the DHT record being retrieved isstored locally within the DHT storage structure. This example is furthersimplified by ignoring access to the DHT range list and the handling oftriggers. FIGS. 36 and 37 subsequently provide more elaborate examplesthat show how the DHT range list is accessed and how the triggers areprocessed.

FIG. 35 shows examples of accessing two records. The example DHTretrieval operation 3500 shown in FIG. 35 contains the modules querymanager 3510, hash generator 3520, and hash table 3530. In this example,the query manager 3510 receives two “get” queries that include keysNode123.port1.state 3540 and Link4789.stats 3550 from one or twodifferent requesting modules at two different instances in time. Thequery manager 3510 sends each of the keys, Node123.port1.state 3540 andLink4789.stats 3550, to the hash generator 3520. The hash generator 3520generates hash value 3541 (which is 111) for the key Node123.port1.state3540, and generates hash value 3551 (which is 222) for the keyLink4789.stats 3550. The hash generator 3520 sends each hash value 3541or 3551 to the query manager 3510. Using each received hash value, thequery manager 3510 queries the hash table 3530. The hash table 3530looks up the data records at hash indexes 111 and 222. The hash table3530 then returns data record Open 3542 for hash index 111, and datarecord 100 bytes for hash index 222. The query manager 3510 finisheseach query operation by returning the data record (i.e., Open 3542 or100 bytes 3552) to the respective requesting module.

FIG. 36 illustrates an example of a “put” operation by a DHT storagestructure 3600. To keep this example simple, the put operation willentail modifying a record in the local hash table of the DHT storage3600. To illustrate this example, this figure shows DHT query manager3610, hash generator 3620, DHT range list 3630, coordination manager3632, hash tables 3640, and trigger processor 3650.

In this example, the query manager 3610 initially receives from aquerying entity a put query 3680 includes a key 3660 and a value 3670.The query manager 3610 then sends the key 3660 to the hash generator3620, which generates hash 3665 and returns this hash to the querymanager 3610. The query manager 3610 then provides the hash 3665 to theDHT range list 3630. The DHT range list 3630 then identifies a range ofhash values in which the hash 3665 falls. FIG. 36 illustrates that theCM 3632 periodically updates the DHT range list. The CM is shown withdashed lines in this example as it is not one of the components of theDHT and its operation is not in the same sequence as the otheroperations illustrated in FIG. 36.

Based on the range that the DHT range list 3630 identifies, itidentifies a corresponding controller instance whose DHT instancecontains the desired DHT record (i.e., the record corresponding to thegenerated hash value). The DHT range list 3630 returns theidentification 3675 of this controller instance to the query manager3610. In this case, the identified controller instance is the localcontroller instance.

Hence, the query manager 3610 next performs a put query on its localhash table 3640. With this query, the query manager 3610 sends the hash3665, and the value 3670 to write in the corresponding DHT record in thehash table 3640. Because the put query 3680 is a put command, the hashtable 3640 writes the value 3670 in the hash table. If the accessed DHTrecord did not exist before this put query, the hash table generates aDHT record based on this query and stores in this record the hash 3665along with the value 3670.

In this example, the modified DHT record has a set of notificationtriggers (i.e., a set of identities of modules that need to benotified). Accordingly, after modifying its DHT record, the hash tables3640 sends the list 3690 of modules that need to be notified of the DHTrecord modification. The query manager 3610 then sends the key 3660 thatidentifies the modified record along with the trigger list 3690 to thetrigger processor 3650. The trigger processor 3650 processes thetriggers in the trigger list 3690 by sending a notification 3695 to allentities that have registered triggers (i.e., all modules on the triggerlist 3690) that the DHT record (with the key 3660) has been modified.The three arrows exiting the trigger processor 3650 represent the key3660 and notification 3695 are being sent to three registered modules inthis example. In addition to sending the key and trigger list to thetrigger processor, the query manager also sends a confirmation 3685 ofthe completion of the Put request to the source that sent it the Putquery.

FIG. 37 illustrates another example of a “put” operation by a DHTstorage structure 3700. In this example, the put operation will entailmodifying a record in a remote hash table of the DHT storage 3700. DHTstorage structure 3700 is a component of the NOS instance A 3701, andthis DHT storage structure will communicate with DHT storage structure3705, which is a component of the NOS instance B 3706. To illustratethis example, this figure shows a first query manager 3710, a secondquery manager 3715, a hash generator 3720, a DHT range list 3730, a CM3732, a hash table 3745 and a trigger processor 3750.

The example begins when the query manager 3710 receives a put query 3780that includes key 3760 and value 3770. The query manager 3710 then sendsthe key 3760 to the hash generator 3720. The hash generator 3720generates hash 3765 and sends the hash 3765 to the query manager 3710.

The query manager 3710 then sends the hash 3765 to the DHT range list3730. As was the case in FIG. 36, the DHT range list 3730 isperiodically updated by the CM 3732. The DHT range list 3730 identifiesa range of hash values in which the hash 3765 falls. Based on the rangethat the DHT range list 3730 identifies, it identifies a correspondingcontroller instance whose DHT instance contains the desired DHT record(i.e., the record corresponding to the generated hash value). The DHTrange list 3730 returns the identification 3775 of this controllerinstance to the query manager 3710. In this case, the identifiedcontroller instance is the remote controller instance 3706.

Because instance 3706 manages the desired DHT record, the query manager3710 relays the key 3760, put query 3780, hash 3765, and value 3770 tothe query manager 3715 of the instance 3706. The query manager 3715 thensends the value 3770 and the hash 3765 to the hash table 3745, whichthen writes value 3770 to its record at hash 3765.

In this example, the modified DHT record has a set of notificationtriggers. Accordingly, after modifying its DHT record, the hash tables3745 sends to the query manager 3715 the trigger list 3790 of modulesthat need to be notified of the DHT record modification. The querymanager 3715 then sends key 3760 and trigger list 3790 to the triggerprocessor 3750. The trigger processor 3750 processes the triggers 3790by sending a notification 3795 to all entities that have registeredtriggers (i.e., all modules on the trigger list 3790) that the DHTrecord (with key 3760) has been modified. The three arrows exiting thetrigger processor 3750 represent the key 3760 and notification 3795 arebeing sent to three registered modules in this example.

In addition to sending the key and trigger list to the triggerprocessor, the query manager of instance B also sends a confirmation3705 of the completion of the Put request to the query manager 3710 ofthe instance A. The query manager 3710 then relays this confirmation3785 to the source that sent it the Put query.

FIG. 38 conceptually illustrates a process 3800 that the DHT querymanager 3405 performs in some embodiments of the invention. In someembodiments, the query manager performs this process each time itreceives a DHT record access request. An access request may require thequery manager to create, retrieve, or update records or triggers insidethe DHT storage structure.

As shown in FIG. 38, the process 3800 initially receives (at 3810) anaccess request for a record within the DHT. In some embodiments, theprocess 3800 receives an access request from an import module 3240 or anexport module 3230 of the transfer modules 3220. In some embodiments,the process receives an access request from another query manager on aremote NOS instance's DHT as shown in FIG. 37. After 3810, the processgenerates (at 3820) a hash value for the access request if necessary. Insome embodiments, the hash value does not need to be generated when itis provided in the access request in some embodiments, but when theaccess request does not include a hash value, it is necessary for theprocess to generate a hash value. The process generates the hash valuefrom information contained in the access request. In some embodiments,the process hashes the key that identifies the data to be accessed.

The process 3800 then uses the hash value it generated (at 3820) orreceived (at 3810) with the access request to check (at 3830) the DHTrange list. The DHT range list contains a list of hash ranges associatedwith DHT instances and is locally cached by the query manager 3405. If ahash value is within a DHT range for a DHT instance on the DHT rangelist, then that DHT instance can process an access request for said hashvalue.

After referencing the DHT range list (at 3830), the process determines(at 3840) whether the access request can be processed locally. If so,the process executes (at 3850) the access request. In some embodiments,the execution of the access request consists of the process performing a“put” function or a “get” function on the records requested by theaccess request. After executing the access request 3850, the processreceives (at 3860) triggers from the local DHT records on data that theaccess request operated on, if any. A trigger is list of entities thatthe query manager must notify if the query manager accesses the recordassociated with the trigger. In some embodiments, the entities thatcould have triggers on DHT data are the notification processors 2610,the transfer modules 2630, or the application interface 2605. In someembodiments, the triggers are stored with the local DHT records as shownin FIG. 30. After 3860, the process handles (at 3870) triggernotifications, if the process received (at 3860) any triggers. Theprocess handles (at 3870) the trigger notifications by sendingnotifications to any entities on the triggers. After 3870, the processtransitions to 3890, which will be explained below.

When the process determines (at 3840) that the access request cannot beprocessed locally, the process sends (at 3880) the access request to theremote DHT node identified (at 3830) on the DHT range list. The processsends (at 3880) the access request to the remote DHT node including anyhash values received (at 3810) or generated (at 3820). After sending theaccess request to a remote DHT node 3880, the process transitions to3885 to wait for a confirmation from the remote DHT node. Once theprocess receives (at 3885) confirmation from the remote DHT node, theprocess transitions to 3890.

At 3890, the process sends a confirmation to the source that sent it thequery. When the query is a Put query, the confirmation confirms thecompletion of the query. However, when the query is a Get query, theconfirmation relays the data retrieved from the DHT. Also, in cases thatthe remote DHT node does not return a confirmation (at 3885) within atimely manner, the process 3800 has an error handling procedure toaddress the failure to receive the confirmation. Different embodimentsemploy different error handling procedures. In some embodiments, theerror handler has the DHT node re-transmit the query several times tothe remote node, and in case of repeated failures, generate an error tothe source of the query and/or an error for a system administrator toaddress the failure. Other embodiments, on the other hand, do notre-transmit the query several times, and instead generate an error tothe source of the query and/or an error for a system administrator toaddress upon failure to receive confirmation.

B. PTD

FIG. 39 conceptually illustrates an example of a PTD storage structure3900 for some embodiments of the invention. As described above, the PTDis a software database stored on a non-volatile storage medium (e.g.,disk or a non-volatile memory) in some embodiments of the invention. Insome embodiments, the PTD is a commonly available database, such asMySQL or SQLite.

As described above and as illustrated in FIG. 39, data is exchangedbetween a NIB 3910 and the PTD 3900 through transfer modules 3920 and CMinterface 3925. In some embodiments, the NIB 3910 and the PTD 3900 thatexchange data through these intermediate modules can be in the samecontroller instance (e.g., the NIB and PTD are part of the master PTDcontroller instance), or the NIB and PTD can be part of two differentcontroller instances. When the NIB and PTD are part of two differentcontroller instances, the CM interface 3925 is an amalgamation of the CMinterface of the two controller instances.

As further illustrated in FIG. 39, the PTD 3900 includes a query manager3930 and a set of database tables 3960. In some embodiments, the querymanager 3930 receives queries 3940 from the CM interface 3925 andprovides responses to these queries through the CM interface. In someembodiments, the PTD 3900 and its query manager 3930 can handle complextransactional queries from the CM interface 3925. As a transactionaldatabase, the PTD can undo a series of prior query operations that ithas performed as part of a transaction when one of the subsequent queryoperations of the transaction fails.

Some embodiments define a transactional guard processing (TGP) layerbefore the PTD in order to allow the PTD to execute conditional sets ofdatabase transactions. In some embodiments, this TGP layer is built aspart of the CM interface 3925 or the query manager 3930 and it allowsthe transfer modules 3920 to send conditional transactions to the PTD.FIG. 39 illustrates an example of a simple conditional transactionstatement 3950 that the query manager 3930 can receive. In this example,all the ports of a tenant “T1” in a multi-tenant server hosting systemare set to “open” if the Tennant ID is that of tenant T1. Otherwise, allports are set to close.

In some embodiments, the controller instances maintain identical datarecords in the NIBs and PTDs of all controller instances. In otherembodiments, only a portion of the NIB data is replicated in the PTD. Insome embodiments, the portion of NIB data that is replicated in the PTDis replicated in the NIBs and PTDs of all controller instances.

FIG. 40 conceptually illustrates a NIB/PTD replication process that someembodiments perform in order to ensure data consistency amongst all theNIBs and PTDs of all controller instances for the portion of the NIBstorage layer that is replicated in the PTD storage layer. The process4000 is performed each time a modification is made to a replicatedportion of a NIB of one controller instance.

As shown in FIG. 40 the process 4000 initially propagates (4010) anychanges made to the NIB layer to the PTD layer. In some embodiments, thedata is translated, transformed, or otherwise modified when it istransferred from the NIB layer to the PTD layer, while in otherembodiments the data is transferred from the NIB layer to the PTD layerin the same format. Also, in some embodiments, the change to the NIB ispropagated to the PTD in the same controller instance as the NIB.However, as described below, some embodiments propagate the NIB changefirst to a master PTD instance.

After 4010, the process replicates (at 4020) the change across the PTDsof the PTD layer. In some embodiments, the change is replicated acrossall PTDs by having the PTD of the instance that received the NIB changenotify the other PTDs. However, as described below, the process 4000 ofsome embodiments employs the master PTD to notify all other slave PTDsto replicate the change in their PTDs.

After the process completes the PTD replication operation 4020, theprocess propagates (at 4030) the NIB change to all the NIBs of all othercontroller instances. In some embodiments, this process is performed byeach controller instance's transfer modules retrieving the modified PTDrecord from its local PTD after being locally notified by its PTDstorage layer (e.g., by the local CM interface of that instance) of thelocal PTD change. However, as mentioned above, the process 4000 in someembodiments replicates the NIB change in all the NIBs by having themaster PTD notify each instance's transfer module of the PTD layerchange, and then supplying each instance's NIB with the modified record.As further described above, the master PTD supplies the modified recordwith the notification of PTD layer change to each NIB instance in someembodiments, while in other embodiments, the master PTD supplies themodified record to each NIB instance after it notifies the NIB instanceand the NIB instance in response queries the master PTD for the modifiedrecord. After 4030, the process ends.

FIG. 41 conceptually illustrates a process 4100 that a PTD instanceperforms in some embodiments when it receives a request to update one ofits PTD records. This process is partly performed by the PTD instance'sCM interface and partly by its query manager. As shown in FIG. 41, theprocess 4100 starts (at 4110) when it receives a PTD update request. Insome embodiments, the update request comes (at 4110) from the NIB exportmodule of the PTD's controller instance. The update request contains arequest to add, modify, or delete PTD records.

After 4110, the process determines (at 4120) whether this instance isthe master PTD instance. A slave PTD instance is PTD without theauthority to write to that PTD without direction from a master PTDinstance, while a master PTD instance is a PTD that has the authority tomake updates to its PTD and distributes updates to the PTDs of the slavePTD instances.

When the process 4100 determines that it is the master PTD, it initiates(at 4170) the master update process, and then terminates. The masterupdate process will be described below by reference to FIG. 42. When theprocess determines (at 4120) that it is not the master PTD, the processtransmits (at 4130) the PTD update request to the CM interface of themaster PTD instances. The process then waits (at 4140) until the processreceives an update command from the master PTD instance. When theprocess receives (at 4140) an update command from the master PTDinstance, the process sends (at 4150) to its controller instance's NIBimport module a PTD update notification, which then causes this moduleto update its NIB based on the change in the PTD. In some embodiments,this PTD update notification is accompanied with the updated record,while in other embodiments, this notification causes the import moduleto query the master PTD to retrieve the updated record. After 4150, theprocess ends.

For some embodiments, the wait state 4140 in FIG. 41 is a conceptualrepresentation that is meant to convey the notion that the slave PTDdoes nothing further for a PTD update request after it notifies themaster PTD and before it receives a PTD update request from the master.This wait state is not meant to indicate that the PTD slave instance hasto receive a PTD update request from the master. In some embodiments,the PTD slave instance sends to the master a PTD update request if itdoes not hear from the master PTD to make sure that the master PTDreceives the PTD update request. If for some reason, the PTD masterdetermines that it should not make such a change, it will notify theslave PTD instance in some embodiments, while in other embodiments theslave PTD instance will stop notifying the master of the particular PTDupdate request after a set number of re-transmissions of this request.

FIG. 42 conceptually illustrates a master update process 4200 that amaster PTD instance performs when updating the PTDs of the master PTDinstance and the slave PTD instances. This process is partly performedby the master PTD instance's CM interface and partly by its querymanager. This process ensures that all PTDs are consistent by channelingPTD updates through the master PTD instance's CM interface.

As shown in FIG. 42, the process 4200 initially receives (at 4210) a PTDupdate request. The PTD update request can come from the process 4100 ofthe master PTD instance or of another slave PTD instance. The PTD updaterequest can comprise a request to add, modify, or delete PTD records. Insome embodiments, the PTD is a database (e.g., SQLite) that supportscomplex, transactional queries. Where the PTD is a database, the PTDupdate request can comprise a complex, transactional database query.

After 4210, the process directs (at 4220) the slave PTD instances toupdate their PTDs and the process requests acknowledgment of completionof the PTD update from all slave PTD instances. In some embodiments, thedirection to update PTDs is sent from the master PTD instance's CMinterface to the CM interfaces of the slave PTD instances, and themaster PTD instance's CM interface will receive acknowledgment of thecompletion of the PTD update from the slave PTD instances' CMinterfaces.

After 4220, the process in some embodiments determines (at 4230) whetherit has received acknowledgement from all slave instances of completionof the PTD update process. Instead of requiring acknowledgments from allslave instances, the process 4200 of some embodiments only requires (at4230) acknowledgments from a majority of slave instances.

When the process determines (at 4230) that it has not yet receivedacknowledgement from a sufficient number of slave instances (e.g., fromall slave instances or a majority of slave instances), the processdetermines (at 4240) whether to call an error handler. If not, theprocess returns to 4230 to wait for acknowledgements from the slaveinstances. Otherwise, the process calls (at 4250) the error handler toaddress the lack of acknowledgement from the slave PTDs. In someembodiments, the error handler flags the unresponsive slave PTDs for asystem administrator to examine to determine the reason for their lackof response. In some embodiments, the process 4200 re-transmits the PTDupdate command a set number of times to each unresponsive slaveinstance, before calling the error handler to address these unresponsiveslave instances. After calling the error handler (at 4250), the processends.

When the process determines (at 4230) that it has receivedacknowledgement from a sufficient number of slave instances (e.g., fromall slave instances or a majority of slave instances), the processtransitions to 4260. At 4260, the process records the PTD update in itsmaster PTD. It then sends (at 4270) a PTD update notification to all NIBimport modules (including the import module of the master PTDcontroller) to update their NIBs based on the received NIB modificationand requests acknowledgement of completion of those NIB update from asufficient number instances. This PTD update notification causes eachNIB import module to update its NIB based on the change in the PTD. Insome embodiments, this PTD update notification is accompanied with theupdated record, while in other embodiments, this notification causes theimport module to query the master PTD to retrieve the updated record. Insome embodiments, the process also sends the NIB import module of itscontroller instance a PTD update notification, in order to cause thisimport module to update its NIB. Alternatively, the process 4200 makesthe modifications to its NIB at 4220 instead of at 4270 in someembodiments.

At 4280, the process determines whether it has received acknowledgementfrom all slave instances of the completion of the NIB update process. Ifso, the process ends. Otherwise, the process determines (at 4290)whether to call an error handler. If not, the process returns to 4280 towait for acknowledgements from the slave instances. When the processdetermines (at 4290) that it should call the error handler (e.g., thatsufficient time has passed for it to call an error handler), the processcalls (at 4295) the error handler to address the lack of acknowledgementfrom the slave instances. In some embodiments, the error handler flagsthe unresponsive slave instances for a system administrator to examineto determine the reason for their lack of response. In some embodiments,the process 4200 re-transmits the NIB update command a set number oftimes to each unresponsive slave instance, before calling the errorhandler to address these unresponsive slave instances. Also, in someembodiments, the process 4200 does not request acknowledgments at 4270or wait for such acknowledgments at 4280. In some of these embodiments,the process 4200 simply ends after sending the PTD update notificationat 4270.

FIG. 43 presents a data flow diagram that shows the PTD replicationprocess of some embodiments in eight stages. This process serves toensure complete consistency in the PTD layer by channeling all PTDchanges through the master PTD instance. In this example, each stageshows four PTD instances, which include a first slave PTD instance 4350,a master PTD instance 4360, a PTD-less instance 4370, and a second slavePTD instance 4380. Each instance contains a NIB 4361, a transfer modulelayer 4362, a coordination manager 4363, and a CM interface 4364. Themaster instance 4360 also has a master PTD 4365. Each slave instance hasa slave PTD 4351. The PTD-less instance 4370 has no PTD.

As shown in FIG. 43, the first stage 4305 shows four PTD instances atsteady state. In the second stage 4310, the slave instance's transfermodule 4362 detects a change in the NIB and transfers 4392 that changeto the slave instance's CM interface 4364. In the third stage 4315, theCM interface 4364 of the slave instance 4350 sends notification 4393 tothe CM interface 4364 of the master instance 4360 of the change theslave is trying to push to the PTD layer. In some embodiments, the slaveinstance's transfer module 4362 directly contacts the master instance'sCM interface 4364 when it detects a change in the NIB during the secondstage. In such a case, the third stage 4315 would not be needed as themaster's CM interface would be notified directly during the second stage4310.

In the fourth stage 4320, the CM interface 4364 of the master instance4360 pushes the requested change to the master PTD 4394. In this casethe master instance 4360 approved the change and wrote it to the masterPTD. However, in other cases, the master could have refused the changeand sent an error message back to the slave controller instance 4350.

The fifth stage 4325 shows the CM interface 4364 of the master instance4360 sending notification 4395 to the CM interfaces of the slaveinstances 4350 and 4380 of the change that the master has made to themaster PTD. In some embodiments, the master PTD sends the updated PTDrecord with its notification 4395 to the CM interfaces of the slaveinstances, while in other embodiments, the slave CM interfaces retrievethe updated PTD record from the master after receiving notification ofthe change from the master.

In the sixth stage 4330, the CM interfaces of the slave instances 4350and 4380 write an update 4396 to change to their slave PTDs. In theseventh stage 4335, the CM interface 4364 of the master instance 4360receives acknowledgements 4397 from the slave instances 4350 and 4380that the slaves have performed the PTD change the master instance pushedto the slave instances during the fifth stage.

In the eighth stage 4340, the CM interface 4364 of the master instancepushes the change made to the PTD by sending a PTD update notificationto the NIB import modules inside the transfer modules 4362 of all thecontroller instances 4250, 4260, 4270, and 4280. In some embodiments,the PTD update notification causes each NIB import module to update itsNIB based on the change in the PTD. In some embodiments, this PTD updatenotification is accompanied with the updated record, while in otherembodiments, this notification causes the import module to query themaster PTD to retrieve the updated record. Also, in some embodiments,the master PTD does not send a PTD update notification to the NIB importmodule of the slave controller instance 4350 that detected the NIBchange for some or all NIB changes detected by this slave controllerinstance.

C. NIB Replication Through DHT

As mentioned above, the controller instances replicate data records inthe NIBs of all controller instances. In some embodiments, some of thisreplication is done through the PTD storage layer (e.g., by using theprocesses described in Section V.B. above, or similar processes) whilethe rest of this replication is done through the DHT storage layer.

FIG. 44 illustrates a process 4400 that is used in some embodiments topropagate a change in one NIB instance to the other NIB instancesthrough a DHT instance. This process is performed by the DHT instancethat receives a notification of a change in a NIB instance. As shown inFIG. 44, this process starts (at 4410) when this DHT instance receivesnotification that a NIB instance has changed a NIB record that has acorresponding record in the DHT instance. This notification can comefrom the export module of the NIB instance or from another DHT instance.This notification comes from the export module of the NIB instance thatmade the change, when the DHT instance that stores the correspondingrecord is the DHT instance that is within the same controller instanceas the NIB instance that made the change. Alternatively, thisnotification come from another DHT instance, when the DHT instance thatstores the corresponding record is not the DHT instance that is withinthe same controller instance as the NIB instance that made the change.In this latter scenario, the DHT instance within the same controllerinstance (1) receives the notification from its corresponding NIB exportmodule, (2) determines that the notification is for a record containingin another DHT instance, and (3) relays this notification to the otherDHT instance.

After 4410, the DHT instance then modifies (at 4420) according to theupdate notification its record that corresponds to the updated NIBrecord. Next, at 4430, the DHT instance retrieves for the updated DHTrecord a list of all modules to call back in response to the updating ofthe DHT record. As mentioned above, one such list is stored with eachDHT record in some embodiments. Also, to effectuate NIB replicationthrough the DHT storage layer, this list includes the identity of theimport modules of all NIB instances in some embodiments. Accordingly, at4430, the process 4400 retrieves the list of all NIB import modules andsends to each of these modules a notification of the DHT record update.In response to this update notification, each of the other NIB instances(i.e., the NIB instances other than the one that made the originalmodification that resulted in the start of the process 4400) updatetheir records to reflect this modification. After 4430, the process 4400ends.

VI. Electronic System

Many of the above-described features and applications are implemented assoftware processes that are specified as a set of instructions recordedon a computer readable storage medium (also referred to as computerreadable medium). When these instructions are executed by one or moreprocessing unit(s) (e.g., one or more processors, cores of processors,or other processing units), they cause the processing unit(s) to performthe actions indicated in the instructions. Examples of computer readablemedia include, but are not limited to, CD-ROMs, flash drives, RAM chips,hard drives, EPROMs, etc. The computer readable media does not includecarrier waves and electronic signals passing wirelessly or over wiredconnections.

In this specification, the term “software” is meant to include firmwareresiding in read-only memory or applications stored in magnetic storage,which can be read into memory for processing by a processor. Also, insome embodiments, multiple software inventions can be implemented assub-parts of a larger program while remaining distinct softwareinventions. In some embodiments, multiple software inventions can alsobe implemented as separate programs. Finally, any combination ofseparate programs that together implement a software invention describedhere is within the scope of the invention. In some embodiments, thesoftware programs, when installed to operate on one or more electronicsystems, define one or more specific machine implementations thatexecute and perform the operations of the software programs.

FIG. 45 conceptually illustrates an electronic system 4500 with whichsome embodiments of the invention are implemented. The electronic system4500 can be used to execute any of the control, virtualization, oroperating system applications described above. The electronic system4500 may be a computer (e.g., a desktop computer, personal computer,tablet computer, server computer, mainframe, a blade computer etc.),phone, PDA, or any other sort of electronic device. Such an electronicsystem includes various types of computer readable media and interfacesfor various other types of computer readable media. Electronic system4500 includes a bus 4505, processing unit(s) 4510, a system memory 4525,a read-only memory 4530, a permanent storage device 4535, input devices4540, and output devices 4545.

The bus 4505 collectively represents all system, peripheral, and chipsetbuses that communicatively connect the numerous internal devices of theelectronic system 4500. For instance, the bus 4505 communicativelyconnects the processing unit(s) 4510 with the read-only memory 4530, thesystem memory 4525, and the permanent storage device 4535.

From these various memory units, the processing unit(s) 4510 retrieveinstructions to execute and data to process in order to execute theprocesses of the invention. The processing unit(s) may be a singleprocessor or a multi-core processor in different embodiments.

The read-only-memory (ROM) 4530 stores static data and instructions thatare needed by the processing unit(s) 4510 and other modules of theelectronic system. The permanent storage device 4535, on the other hand,is a read-and-write memory device. This device is a non-volatile memoryunit that stores instructions and data even when the electronic system4500 is off. Some embodiments of the invention use a mass-storage device(such as a magnetic or optical disk and its corresponding disk drive) asthe permanent storage device 4535.

Other embodiments use a removable storage device (such as a floppy disk,flash drive, etc.) as the permanent storage device. Like the permanentstorage device 4535, the system memory 4525 is a read-and-write memorydevice. However, unlike storage device 4535, the system memory is avolatile read-and-write memory, such a random access memory. The systemmemory stores some of the instructions and data that the processor needsat runtime. In some embodiments, the invention's processes are stored inthe system memory 4525, the permanent storage device 4535, and/or theread-only memory 4530. 2655From these various memory units, theprocessing unit(s) 4510 retrieve instructions to execute and data toprocess in order to execute the processes of some embodiments.

The bus 4505 also connects to the input and output devices 4540 and4545. The input devices enable the user to communicate information andselect commands to the electronic system. The input devices 4540 includealphanumeric keyboards and pointing devices (also called “cursor controldevices”). The output devices 4545 display images generated by theelectronic system. The output devices include printers and displaydevices, such as cathode ray tubes (CRT) or liquid crystal displays(LCD). Some embodiments include devices such as a touchscreen thatfunction as both input and output devices.

Finally, as shown in FIG. 45, bus 4505 also couples electronic system4500 to a network 4565 through a network adapter (not shown). In thismanner, the computer can be a part of a network of computers (such as alocal area network (“LAN”), a wide area network (“WAN”), or an Intranet,or a network of networks, such as the Internet. Any or all components ofelectronic system 4500 may be used in conjunction with the invention.

Some embodiments include electronic components, such as microprocessors,storage and memory that store computer program instructions in amachine-readable or computer-readable medium (alternatively referred toas computer-readable storage media, machine-readable media, ormachine-readable storage media). Some examples of such computer-readablemedia include RAM, ROM, read-only compact discs (CD-ROM), recordablecompact discs (CD-R), rewritable compact discs (CD-RW), read-onlydigital versatile discs (e.g., DVD-ROM, dual-layer DVD-ROM), a varietyof recordable/rewritable DVDs (e.g., DVD-RAM, DVD−RW, DVD+RW, etc.),flash memory (e.g., SD cards, mini-SD cards, micro-SD cards, etc.),magnetic and/or solid state hard drives, read-only and recordableBlu-Ray® discs, ultra density optical discs, any other optical ormagnetic media, and floppy disks. The computer-readable media may storea computer program that is executable by at least one processing unitand includes sets of instructions for performing various operations.Examples of computer programs or computer code include machine code,such as is produced by a compiler, and files including higher-level codethat are executed by a computer, an electronic component, or amicroprocessor using an interpreter.

While the above discussion primarily refers to microprocessor ormulti-core processors that execute software, some embodiments areperformed by one or more integrated circuits, such as applicationspecific integrated circuits (ASICs) or field programmable gate arrays(FPGAs). In some embodiments, such integrated circuits executeinstructions that are stored on the circuit itself.

As used in this specification, the terms “computer”, “server”,“processor”, and “memory” all refer to electronic or other technologicaldevices. These terms exclude people or groups of people. For thepurposes of the specification, the terms display or displaying meansdisplaying on an electronic device. As used in this specification, theterms “computer readable medium,” “computer readable media,” and“machine readable medium” are entirely restricted to tangible, physicalobjects that store information in a form that is readable by a computer.These terms exclude any wireless signals, wired download signals, andany other ephemeral signals.

While the invention has been described with reference to numerousspecific details, one of ordinary skill in the art will recognize thatthe invention can be embodied in other specific forms without departingfrom the spirit of the invention. In addition, a number of the figures(including FIGS. 27, 28, 31, 33, 38, 40, 41, 42 and 44) conceptuallyillustrate processes. The specific operations of these processes may notbe performed in the exact order shown and described. The specificoperations may not be performed in one continuous series of operations,and different specific operations may be performed in differentembodiments. Furthermore, the process could be implemented using severalsub-processes, or as part of a larger macro process.

Also, several embodiments were described above in which a user providelogical datapath sets in terms of logical control plane data. In otherembodiments, however, a user may provide logical datapath sets in termsof logical forwarding plane data. In addition, several embodiments weredescribed above in which a controller instance provide physical controlplane data to a switching element in order to manage the switchingelement. In other embodiments, however, the controller instance mayprovide the switching elements with physical forwarding plane data. Insuch embodiments, the NIB would store physical forwarding plane data andthe virtualization application would generate such data.

Furthermore, in several examples above, a user specifies one or morelogic switches. In some embodiments, the user can provide physicalswitch configurations along with such logic switch configurations. Also,even though controller instances are described that in some embodimentsare individually formed by several application layers that execute onone computing device, one of ordinary skill will realize that suchinstances are formed by dedicated computing devices or other machines insome embodiments that perform one or more layers of their operations.Thus, one of ordinary skill in the art would understand that theinvention is not to be limited by the foregoing illustrative details.Thus, one of ordinary skill in the art would understand that theinvention is not to be limited by the foregoing illustrative details.

We claim:
 1. A controller computer that executes a controller instancefor execution by at least one processing unit, the controller instancefor managing a plurality of switching elements that forward data packetsin a network, the controller instance comprising: a set of applicationsfor generating data to implement a plurality of logical datapath sets,for a plurality of different users, on the plurality of switchingelements; a network information base (NIB) data structure for serving asa primary storage structure for storing the generated data; and aplurality of secondary storage structures, each secondary storagestructure for (i) storing at least a subset of the data stored in theprimary storage structure and (ii) providing a different interface forsupplying and retrieving data to and from the secondary storagestructure, wherein at least a portion of the data stored in at least oneof the primary and secondary storage structures is supplied as physicalcontrol plane data to at least one particular switching element of theplurality of switching elements in order for the particular switchingelement to implement a particular logical datapath set for a particularuser, and wherein the controller computer comprises a memory storagedevice for storing the NIB data structure.
 2. The controller computer ofclaim 1, wherein at least one of the secondary storage structures storesthe subset of data in order to improve the resiliency of the controllerinstance in an event that the NIB data structure's operation fails. 3.The controller computer of claim 2, wherein the memory storage devicefor storing the NIB data structure is a volatile memory and the NIBoperation fails when the controller computer on which the NIB datastructure is stored fails or turns off.
 4. The controller computer ofclaim 3, wherein the memory storage device is a first memory storagedevice, the controller computer further comprising a second memorystorage device for storing at least one secondary storage structure ofthe plurality of secondary storage structures, wherein the second memorystorage device is a non-volatile memory.
 5. The controller computer ofclaim 1, wherein the plurality of secondary storage structures comprisesa particular secondary storage structure for accessing the subset of thedata faster than accessing the data stored in the NIB data structure. 6.The controller computer of claim 5, wherein the particular secondarystorage structure is a distributed hash table.
 7. The controllercomputer of claim 1, wherein the plurality of secondary storagestructures comprises a particular secondary storage structure for (i)processing a plurality of queries on the subset of the data and (ii)undoing a set of the plurality of queries on the subset of the data. 8.The controller computer of claim 7, wherein the particular secondarystorage structure is a transactional database.
 9. The controllercomputer of claim 1, wherein each user of the plurality of users is atenant in a multi-tenant server hosting system.
 10. For a controller, amethod for managing a plurality of switching elements that forwardnetwork data in a network, the method comprising: generating data toimplement a plurality of logical datapath sets, for a plurality ofdifferent users, on the plurality of switching elements; at a networkinformation base (NIB) data structure for serving as a primary storagestructure, storing the generated data; and at a plurality of secondarystorage structures, storing a plurality of different subsets of thegenerated data stored in the primary storage structure, wherein eachsecondary storage structure provides a different interface for supplyingand retrieving data to and from the secondary storage structure, whereinat least a portion of the data stored in at least one of the primary andsecondary storage structures is supplied as physical control plane datato at least one particular switching element of the plurality ofswitching elements in order for the particular switching element toimplement a particular logical datapath set for a particular user. 11.The method of claim 10, wherein at least one of the plurality ofsecondary storage structures stores a subset of the generated data inorder to improve the resiliency of the system in an event that the NIBdata structure's operation fails.
 12. The method of claim 11, whereinthe NIB data structure is stored in a volatile memory and the NIBoperation fails when a machine on which the NIB data structure is storedfails or turns off.
 13. The method of claim 12, wherein at least one ofthe plurality of secondary storage structures is stored in anon-volatile memory.
 14. The method of claim 10, wherein the pluralityof secondary storage structures comprises a particular storage structurefor accessing a subset of the generated data faster than accessing thegenerated data stored in the NIB data structure.
 15. The method of claim14, wherein the particular storage structure is a distributed hashtable.
 16. The method of claim 10 further comprising processing aplurality of queries on a subset of the generated data.
 17. The methodof claim 16 further comprising undoing a set of the plurality of querieson the subset of the generated data.
 18. The method of claim 16, whereinat least one of the plurality of secondary storage structures is atransactional database.
 19. A network control system for managing aplurality of switching elements for forwarding data between a pluralityof hosts, the network control system comprising: a plurality ofcontroller instances, each controller instance for managing a set ofswitching elements of the plurality of switching elements, eachcontroller instance comprising: a set of applications for generatingdata to implement a plurality of logical datapath sets, for plurality ofdifferent users, on the set of switching elements; a primary storagestructure for storing data for managing the set of switching elements;and a plurality of secondary storage structures, each secondary storagestructure for providing a different secondary storage operation for thecontroller instance in order to supplement primary storage operations ofthe primary storage structure for the controller instance, wherein atleast one secondary storage structure is for storing at least a subsetof the data stored in the primary storage structure, wherein a portionof the data stored in at least one of the primary and secondary storagestructures is supplied as physical control plane data to at least oneparticular switching element of the set of switching elements in orderfor the particular switching element to implement a particular logicaldatapath set for a particular user.
 20. The network control system ofclaim 19, wherein the secondary storage operation that a particularsecondary storage structure of the plurality of secondary storagestructures provides comprises backing up the data stored in the primarystorage structure.
 21. The network control system of claim 19, whereinthe secondary storage operation that at least two of the secondarystorage structures provides comprises backing up the data stored in theprimary storage structure.
 22. The network control system of claim 19,wherein the secondary storage operation that a particular secondarystorage structure of the plurality of secondary storage structuresprovides comprises facilitating communication between the controllerinstance and another controller instance that manages another set ofswitching elements.
 23. The network control system of claim 19, whereinthe secondary storage operation that a particular secondary storagestructure of the plurality of secondary storage structures providescomprises storing data that is not stored in the primary storagestructure.
 24. The network control system of claim 19, wherein at leastone storage device for storing the primary storage structure is avolatile memory.
 25. The network control system of claim 19, wherein atleast one storage device for storing a secondary storage structure ofthe plurality of secondary storage structures is a non-volatile memory.26. The network control system of claim 19, wherein a set of storagedevices for storing the primary and secondary storage structurescomprises a random access memory and a hard disk.